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Quantum key distribution (QKD) is the first quantum information task to reach the level of 
mature technology, already fit for commercialization. It aims at the creation of a secret key be- 
tween authorized partners connected by a quantum channel and a classical authenticated channel. 
The security of the key can in principle be guaranteed without putting any restriction on the 
eavesdropper's power. 

The first two sections provide a concise up-to-date review of QKD, biased toward the practical 
side. The rest of the paper presents the essential theoretical tools that have been developed to 
assess the security of the main experimental platforms (discrete variables, continuous variables 
and distributed-phase-reference protocols). 
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I. INTRODUCTION 

A. Cryptography 

Cryptography is a field of applications that provide pri- 
vacy, authentication and confidentiality to users. An im- 
portant subfield is that of secure communication, aiming 
at allowing confidential communication between different 
parties such that no unauthorized party has access to the 
content of the messages. This field has a long history of 
successes and failures, as many methods to encode mes- 
sages emerged along the centuries, always to be broken 
some time later. 

History needs not repeat forever, though. In 1917, Ver- 
nam invented the so-called One-Time Pad encryption, 
which uses a symmetric, r andom secret k ey shared be- 
tween sender and receiver ()Vernaml . [T926h . This scheme 
cannot be broken in principle, provided the parties do 



not reuse their key. Three decades later, Shannon proved 
that the Vernam scheme is optim al: there is no e ncryp- 
tion method that requires less key (|Shannonl . [l949h . This 
means that the key is being used up in the process. To 
employ this scheme, therefore, the communicating par- 
ties must have a secure method to share a key as long 
as the text to be encrypted. Because of this limitation, 
which becomes severe in case huge amounts of informa- 
tion have to be securely transmitted, most cryptographic 
applications nowadays are based on other schemes, whose 
security cannot be proved in principle, but is rather based 
on our experience that some problems are hard to solve. 
In other words, these schemes can be broken, but with 
a substantial amount of computational power. One can 
therefore set a security parameter to a value, such that 
the amount of required computational power lies beyond 
the amount deemed to be available to an adversary; the 
value can be adjusted in time, along with technological 
advances. 

The picture has changed in the last two decades, 
thanks to unexpected inputs from quantum physics. In 
the early 1980s, Bennett and Brassard proposed a solu- 
tion to t he key distribution problem b ased on quantum 
physics ( Bennett and Brassardl I1984T ); this idea , inde- 
pend ently re-discovered by Ekert a few years later ( EkertJ . 
1991,), was the beginning of quantum key distribution 
(QKD) which was to become the most promising task of 
quantum cryptography 1 . Since then, QKD devices have 
constantly increased their key generation rate and have 
started approaching maturity, needed for implementation 
in realistic settings. 

In an intriguing independent development, ten years 
after the advent of QKD, Peter Shor discovered that large 
numbers can in principle be factorized efficiently if one 



1 Quantum cryptography is often identified with QKD, but ac- 
tually comprises all possible tasks related to secrecy that are 
implemented with the help of quantum physics. The first ap- 
pearance of a link between secrecy and quantum physics was 
Wicsner's idea of quantum money, which dates back to the earl y 
1970s although was published a decade later (|Wiesne i Il983h . 
To our knowledge, there is nothing else before Bennett's and 
Brassard's first QKD protocol. In 1999, two new tasks were 
invented and both were given the same name, quantum se- 
cret sharing. In one case, the protocol is a multi-partite gen- 
eralization of key distribution llHillerv. Buzek and Berthiaumd . 
119991 ; iKarlsson. Koashi and Imotd . [1999); in the other case 
it refers to the sharing of secret quantum information, i.e. 
the goal is for the authorized partners to share quan- 
tum information (instead of a list of classical random vari- 
ables) known only to them j Cleve. Gottesman and Let Il999l ; 
lOrepeau. Gottesman and Smith, 2003) ■ Other examples of cryp- 
tographic tasks are bit commitment or oblivious transfer; for 
these tasks, contrary to the case of QKD and secret shar- 
ing, quantum physics cannot guarantee un conditional security 
l|Lo and Chad . ll997l : Oll997l : lMaverslll997l ) and therefore their 
interest seems limited — though new paradigms like "bounded- 
storage models" may change this perception in the future 
llDamgaard et al I 120051 . 120071 : IWehner. Schaffner and Terhall. 
120081) . 
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can perf orm coherent man ipulations on many quantum 
systems (IShorl 11994 11997ft . Factorizing large numbers is 
an example of a mathematical task considered classically 
hard to solve and for this reason related to a class of 
cryptographic schemes which are currently widely used. 
Though quantum computers are not realized yet, the 
mere fact that they could be built brought into awareness 
that the security of some cryptographic schemes may be 
threatened 2 . 

This review focuses therefore on the cryptographic task 
of key distribution, and in particular on its realization us- 
ing quantum physics. Note that a secret key serves many 
useful purposes in cryptography other than message en- 
cryption: it can be used, for example, to authenticate 
messages, that is, to prove that a message has been in- 
deed sent by the claimed sender. 



B. Basics of Quantum Key Distribution (QKD) 

In this paragraph, we introduce the basic elements 
of quantum key distribution (QKD), for the sake of 
those readers who would not be familiar with the field. 
Alternative presentations of this material are avail- 
able in many s ources, rang i ng from books with rather 
general scope (lEkert et all l200lt iLe Bellad . 120061: ILoL 
1998; S caran I 12006ft to other review articles specific 
to the topic dDusek. Liitkenhaus and Hendrvch . 2006 ; 



Gisin. Ribordv. Tittel and Zbindeii r 20021 ;" Lo and Zhao 
2008ft 



1. Generic setting 




FIG. 1 (Color online) The setting of QKD: Alice and Bob 
are connected by a quantum channel, on which Eve can tap 
without any restriction other than the laws of physics; and by 
an authenticated classical channel, which Eve can only listen 
to. 



The classical channel needs to be authenticated: this 
means that Alice and Bob identify themselves; a third 
person can listen to the conversation but cannot partici- 
pate in it. The quantum channel, however, is open to any 
possible manipulation from a third person. Specifically, 
the task of Alice and Bob is to guarantee security against 
an adversarial eavesdropper, usually called Eve 3 , tapping 
on the quantum channel and listening to the exchanges 
on the classical channel. 

By "security" we mean that "a non-secret key is never 
used": either the authorized partners can indeed create 
a secret key (a common list of secret bits known only to 
themselves), or they abort the protocol 4 . Therefore, after 
the transmission of a sequence of symbols, Alice and Bob 
must estimate how much information about their lists of 
bits has leaked out to Eve. Such an estimate is obvi- 
ously impossible in classical communication: if someone 
is tapping on a telephone line, or when Eve listens to the 
exchanges on the classical channel for that matters, the 
communication goes on unmodified. This is where quan- 
tum physics comes into the game: in a quantum channel, 
leakage of information is quantitatively related to a degra- 
dation of the communication. The next paragraph delves 
a bit deeper into the physical reasons for this statement. 



2. The origin of security 

The origin of security of QKD can be traced back to 
some fundamental principles of quantum physics. One 
can argue for instance that any action, by which Eve ex- 
tracts some information out of quantum states, is a gen- 
eralized form of measurement; and a well-known tenet of 
quantum physics says that measurement in general mod- 
ifies the state of the measured system. Alternatively, one 
may think that Eve's goal is to have a perfect copy of 
the state that Alice sends to Bob ; this is however for- 
bidde n by the no-cloning theorem ( Wootters and Zurekl . 
1982), which states that one cannot duplicate an un- 
known quantum state while keeping the original intact. 
Bot h these arguments appear alr eady in the seminal pa- 
per ([Bennett and Brassardl . [l984ft ; they lead to the same 
formalization. A third physical argument can be invoked, 
which is usually considered rather as a fact than as a 
principle, but a very deep one: quantum correlations ob- 



The generic settings of QKD are schematically repre- 
sented in Fig. [TJ The two authorized partners, those that 
want to establish a secret key at a distance, are tradition- 
ally called Alice and Bob. They need to be connected by 
two channels: a quantum channel, allowing them to share 
quantum signals; and a classical channel, on which they 
can send classical messages forth and back. 



2 This issue will be discussed in more detail in Sec. IVIII.BI 



3 The name, obtained from assonance with the English term 
"eavesdropping", is remarkably suited for someone whose task 
is to mess things up! 

4 No physical principle can prevent an adversary to cut the chan- 
nels, thus blocking all transfer of information between Alice and 
Bob. Stepping back then, one can imagine the following eaves- 
dropping strategy (suggested to one of us by A. Beveratos): Eve 
systematically cuts all QKD channels, until Alice and Bob, who 
after all want to communicate, opt for less secure methods — 
and then Eve gets the information. There is obviously a point 
of humor in this idea but, given that Eve has no hope if QKD is 
used correctly, this strategy may be the most effective indeed. 
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tained by separated measurements on members of entan- 
gled pairs violate Bell's inequalities and cannot therefore 
have been created by pre-established agreement. In other 
words, the outcomes of the measurements did not exist 
before the measurem ents; but the n, in particular, Eve 
could not know them ( EkertL Il99ll ) . This argument sup- 
poses that QKD is implemented with entangled states. 

The fact that security can be based on general prin- 
ciples of physics suggests the possibility of unconditional 
security, i.e. the possibility of guaranteeing security with- 
out imposing any restriction on the power of the eaves- 
dropper (more on this notion in Sec. III.C.1[) . Indeed, at 
the moment of writing, unconditional security has been 
proved for several QKD protocols. 



3. The choice of light 

In general, quantum information processing can be 
implemented with any system, and one indeed finds 
proposal to implement quantum computing with ions, 
atoms, light, spins... Abstractly, this is the case also 
for QKD: one could imagine to perform a QKD exper- 
iment with electrons, ions, molecules; however, light is 
the only practical choice. Indeed, the task of key distri- 
bution makes sense only if Alice and Bob are separated 
by a macroscopic distance: if they are in the same room, 
they have much easier ways of generating a common se- 
cret key. 

Now, as well known, light does not interact easily with 
matter; therefore quantum states of light can be trans- 
mitted to distant locations basically without decoherence, 
in the sense that little perturbations are expected in the 
definition of the optical mode. The problem with light 
is scattering, i.e. losses: quite often, the photons just 
don't arrive. The way losses affect QKD varies with 
the protocol and the implementation; we shall deal with 
these issues in detail later, but it's useful to give here a 
rapid overview. First and quite obviously, losses impose 
bounds on the secret key rate (that cannot scale with the 
distance better than the transmittivity of the line) and 
on the achievable distance (when losses are so large that 
the signal is lost in spurious events, the "dark counts"). 
Second: losses may leak information to the eavesdropper, 
according to the nature of the quantum signal: for coher- 
ent pulses it is certainly the case, for single photons it is 
not, the case for entangled beams is more subtle. A third 
basic difference is determined by the detection scheme. 
Indeed, implementations that use photon counters rely 
on post-selection: if a photon docs not arrive, the de- 
tector does not click and the event is simply discarded 5 . 



5 Note that this is possible because the task is to distribute a 
random key. In the days of booming of quantum informa- 
tion, some authors considered the possibil ity of sending di- 
rectly the message on the qu antum channel l|Beige et al 1. 120021 : 
Bostrom and Fclbingcr, 2002). This task has been called "Quan- 



On the contrary, implementations that use homodyne de- 
tection always give a signal, therefore losses translate as 
additional noise. 

In summary, QKD is always implemented with light 
and there is no reason to believe that things will change 
in the future. As a consequence, the quantum channel is 
any medium that propagates light with reasonable losses: 
typically, either an optical fiber, or just free space pro- 
vided Alice and Bob have a line of sight. 



4. The BB84 protocol 

All the points and concepts introduced above will be 
dealt in more depth and detail in the main sections of this 
review. Let us first practice the generic ideas on a very 
concrete example: the first QKD protocol, published by 
Bennett and Brassard in 1984 and called therefore BB84 
(jBennett and Brassardl Il984l ). 

Suppose Alice holds a source of single photons. The 
spectral properties of the photons are sharply defined, 
so the only degree of freedom left is polarization. Alice 
and Bob align their polarizers and agree to use either the 
Horizontal/ Vertical (+) basis, or the complementary ba- 
sis of linear polarizations i.e. +45/-45 (x). Specifically, 
the coding of bits is 



\H) codes for 0+ 

\V) codes for 1 + 

j+45) codes for X 

I — 45) codes for 1 x 



(1) 



We see that both bit values and 1 are coded in two 
possible ways, more precisely in non-orthogonal states, 
because 



±45) 



1 

71 



\H) ± 



(2) 



Given this coding, the BB84 protocol goes as follows: 

1. Alice prepares a photon in one of the four states 
above and sends it to Bob on the quantum channel. 
Bob measures it in either the + or the x basis. This 
step is repeated N times. Both Alice and Bob have 
now a list of N pairs (bit, basis). 

2. Alice and Bob communicate over the classical chan- 
nel and compare the "basis" value of each item and 
discard those instances in which they have used dif- 
ferent bases. This step is called sifting. At its end, 



turn Secure Direct Communication" and has generated some in- 
terest. However, it was soon recognized (even by some of the 
original authors) that the idea suffers of two major defaults with 
respect to standard QKD: (i) It is obviously not robust against 
losses: you cannot afford losing a significant amount of the mes- 
sage, (ii) It allows no analog of privacy amplification: if an 
eavesdropper obtains information, it is information on the mes- 
sage itself and cannot of course be erased. 
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Alice and Bob have a list of approximately N/2 
bits, with the promise that for each of them Alice's 
coding matched Bob's measurement. This list is 
called raw key. 

3. Alice and Bob now reveal a random sample of the 
bits of their raw keys and estimate the error rate 
in the quantum channel, thus in turn Eve's infor- 
mation. In the absence of errors, the raw key is 
identical for Alice and Bob and Eve has no infor- 
mation: in this case, the raw key is already the 
secret key. If there are errors however, Alice and 
Bob have to correct them and to erase the infor- 
mation that Eve could have obtained 6 . Both tasks 
can be performed by communication on the clas- 
sical channel, so this part of the protocol is called 
classical post-processing. At the end of this pro- 
cessing, Alice and Bob share either a truly secret 
key or nothing at all (if Eve's information was too 
large). 



5. An example of eavesdropping 

A particularly simple eavesdropping strategy is the one 
called intercept-resend. To obtain information, Eve does 
the same as Bob: she intercepts the photon coming from 
Alice and measures it either in the + or in the x basis. 
But Bob is waiting for some signal to arrive. Let's then 
suppose that Eve resends the same photon to Bob (Eve 
is limited only by the laws of physics, therefore in par- 
ticular she can perform a quantum non-demolition mea- 
surement). If Eve has measured in the basis of Alice's 
preparation, the photon is intact: on such instances, Eve 
has got full information on Alice's bit without introduc- 
ing any errors. However, when Eve has chosen the wrong 
basis, her result is uncorrelated with Alice's bit; more- 
over, she has modified the state so that, even if Bob uses 
the same basis as Alice, half of the times he will get the 
wrong result. 

In average over long keys then, this particular attack 
gives Eve full information on half of the bits of the raw 
key (Ie = 0.5) at the price of introducing an error rate 
Q = 0.25. Can a secure key be extracted under such 
conditions? One has to know how to quantify the length 
of the final key that can be extracted. For this particu- 
lar case, under som e assumptions on the clas sical post- 
processing it holds ( Csiszar and Korneii Il97§t ) 



= max{J(A :B)-I E ,0}. 



(3) 



where I(A : B) = H(A) + H{B) - H(AB) is the mutual 
information between Alice's and Bob's raw keys (H is 



Shannon entropy). Assuming that both bit values are 
equally probable, i.e. H(A) = H(B) = 1, one has I(A : 
B) = 1 — h(Q) where h is binary entropy. Having these 
elements, one can plug in the values obtained for the 
intercept-resend attack and find that I (A : B) < Ie- 
Eve has more information on Alice's string than Bob, 
therefore no secret key can be extracted 7 . 

Another simple exercise consists in supposing that Eve 
perform the intercept-resend attack only on a fraction 
p of the photons sent by Alice, and leaves the others 
untouched. Then obviously Q = p/4 and Ie — p/2 = 2Q; 
this leads to conclude that, if Q > 17%, a secure key 
cannot be extracted from the BB84 protocol — at least, 
if the classical post-processing is done acc ording to the 
assumptions of (Csisz ar" and Kdrnerl Il97cf ). 



6. Beyond the example: the field of QKD 

The basic example that we have just presented calls 
for a number of important questions: 

• The adversary is clearly not restricted to perform 
the intercept-resend attack. What is the maximal 
amount of information Eve can possibly obtain, if 
she is allowed to do anything that is compatible 
with the laws of physics? This is the question about 
the possibility of proving unconditional security. 

• The BB84 protocol is just a particular protocol. 
What about other forms of coding and/or of pro- 
cessing the data? 

• The protocol supposed that the quantum signal is a 
qubit — explicitly, a bimodal single photon, i.e. an 
elementary excitation of the light field in only two 
modes (polarization in the explicit example). How 
close can an implementation come to this? And af- 
ter all, should any implementation of QKD actually 
aim at coming close to this? 

• In a real device, information may leak out in chan- 
nels that are neglected in a theoretical description. 
What are the potential threats in an implementa- 
tion? 

The whole field of QKD has developed along the answer 
to these and similar questions. 



1 Historical note: the procedure that er ases the information of 
the e avesdropper was not discussed in (Bennett and Br assardl 
ll984Tl and appears for the first time a few years later 
llBennett. Brassard and Robertl . 119881 1. 



7 This conclusion is valid for all protocols: no secret 
key can be extracted if the observed statistics are com- 
patible with Eve performing the int ercept-resend attack 
l|Curtv. Lew cnstcin and Liitkcnhaus, 2004). The reason is that 
this attack "breaks" the quantum channel into two pieces, in 
which case the correlations between Alice and Bob can always 
be obtained with classical signals; and no secrecy can be dis- 
tributed with classical communication. 
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C. Scope of this review 

1. Focus 

The label "quantum cryptography" applies nowadays 
to a very wide range of interests, going from abstract 
mathematical considerations to strictly technological is- 
sues. 

This review focuses somewhere in the middle of this 
range, in the realm where theoretical and experimental 
physics meet, that we call practical QKD. There, theo- 
rists cannot pursue pure formal elegance and are com- 
pelled to complicate their models in order to take real 
effects into account; and experimentalists must have a 
serious grasp on theoretical issues in order to choose the 
right formulas and make the correct claims about the se- 
curity of their devices. Specifically, we want to address 
the following two concerns: 

1. On the one hand, the theoretical tools have reached 
a rather satisfactory level of development; but from 
outside the restricted group of experts, it has be- 
come almost impossible to follow this development, 
due also to the fact that quite a few strong secu- 
rity claims made in the past had to be revisited 
in the light of better understanding. As theorists 
involved in the development of security proofs, we 
want to provide an updated review of the status of 
such proofs. 

2. On the other hand, several competing experimental 
platforms exist nowadays. It is desirable to have a 
synthetic view of those, highlighting the interest 
and possible shortcomings of each choice. Also, we 
want to raise the awareness of the complexity of 
any comparison: "physical" figures of merit like the 
secret key rate or the maximal achievable distance 
are in competition with "practical" figures of merit 
like stability and cost. 

Along the review, we shall make reference also to some 
strictly mathematical or strictly technological progresses, 
but without any claim of exhaustiveness. 



directions for comparison of different experimental plat- 
forms. Finally, in Section IVIIIi we discuss future per- 
spectives for QKD, both as a field in itself and in the 
broader context of key distribution. 



II. THE ELEMENTS OF PRACTICAL QKD 
A. Milestones 

1. Foundations: 1984-1995 

QKD unfold ed with the presentation of th e first com- 
plete protocol (Be nnett and Brassard . 1984T). which was 
based on earlier ideas by Wiesner (|Wiesne 1 11983D . In 
the BB84 protocol, bits are coded in two complementary 
bases of a two level system (qubit); this qubit is sent by 
Alice to Bob, who measures it. The no-cloning theorem 
is explicitly mentioned as the reason for security. This 
work was published in conference proceedings and was 
largely unknown to the community of physicists. It was 
not until 1991, when Artur Ekert, independently from 
the earlier developments, published a paper on quantum 
key distributions , that the field gained a rapid popular- 
ity (Ekert], Il99ll ). Ekert 's argument for security had a 
different flavor: an eavesdropper introduces "elements of 
reality" into the correlations shared by Alice and Bob; 
so, if they observe correlations that violate a Bell inequal- 
ity, the communication cannot have been completely bro- 
ken by Eve. Shortly later, Bennett, Brassard and Mer- 
min argued 8 that entanglement-based protocols, such as 
E91, are equivalent to preparefcmeasure protocols, such 
as th e BB84 protocol ([Bennett. Brassard and Merminl . 
1992). The same year 1992 witnessed two additiona l 
miles tones: the invention of the B92 protocol (Bennett], 
Il992h an d the very first i n-prin ciple experimental demon- 
stration ( Bennett et all Il992t ) . One can reasonably con- 
clude the foundational period of QKD with the defini- 
tion of privacy amplification, the classical post-processing 
needed to erase Eve 's information from the raw key 
([Bennett et all . Il995r ). 



2. Outline 

The review is structured as follows. Section [IT] in- 
troduces all the basic elements of practical QKD. Sec- 
tion IIIII is devoted to the rate at which a secret key is 
produced: this is the fundamental parameter of QKD, 
and depends both on the speed and efficiency of the de- 
vices, and on the intrinsic security of the protocol against 
eavesdropping. The next three sections provide a de- 
tailed analysis, with a consistent set of explicit formu- 
las, for the three main families of protocols: those based 
on discrete- variable coding (Section IIV[) . those based on 
continuous- variable coding (Section [Vj and the more re- 
cent distributed-phase-reference coding (Section IVI[) . In 
Section [VHi we put everything together and sketch some 



2. The theory-experiment gap opens: 1993-2000 

After these foundational works, the inter- 
est and feasibility of QKD became apparent to 
many. Improved experimental demonstrations 

took place, first in the lab with a growing dis- 
tance of optical fiber next to the optical table 



The argument is correct under some assumptions; only around 
the year 2006 it was fully realized that Ekert's view is qualita- 
tively different and allows to reduce the set of assumptions about 
Alice's and Bob's devices; see IV111.A.3I This is also why the Ek- 
ert protocol w as not implement ed as such in an experiment until 
very recently l lLing et al., 2008). 
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(iBreguet. Muller and Gisinl. 1994 IFranson and lived . 



11994 ; Townsend. Rarity and Tapsteii 1993), then in 



insta lled optical fibers ( Muller. Zbinden and Gisml 
1995), thereby demonstrating that QKD can be made 
sufficiently robust for a real-world implementation. In 
this development, an obvious milestone is the invention 
of the so-called Plug&Play setups by the Geneva group 
(jMuller et all Il997t iRibordv et'all ll998h . By the year 
2000, QKD over large dista nces was demon s trated 
also with entan gled photons (iJennewein et all . 120001 : 
iNaik et all 120001 : IXittel et all |2000D . 

Theorists became very active too. New protocols were 
proposed. For instance, the elegant six-state protocol, 
first m entioned back in 198 4 as a possible extension of 
BB84 (|Bennett et all 1 19841). was rediscovered and stud- 
ied in greater det ail ( Bechmann-Pasauinucci and Gisinl . 
119991 : iBrufj . Il998[ ). But by far a more complex task was 
at stake: the derivation of rigorous security proofs that 
would replace the intuitive arguments and the first, ob- 
viously sub-optimal estimates. The first such proof has 
been given by Mayers, who included even adva nced fea- 
tures such as the analysis of finite key effects (jMavera . 
Il996ll200lh . However, this proof is not very intuitive, and 
other proofs emerged, starting wi th the basic pr i nciple 
of entanglement distillation ideas ( Deutsch et all fl996h 
which were put into a rig orous framework by Lo and 
Chau ( Lo and Chad . 119991) . These entanglement based 
proofs would require the ability to perform quantum logic 
operations on signals. At present, we do not have the ex- 
perimental capabili ty to do so. Ther e fore t he result by 
Shor and Preskill ( Shor and Preskilj |2000| ) provided a 
step forward, as it combined the property of Mayers re- 
sult of using only classical error correction and privacy 
amplification with a very intuitive way of proving the se- 
curity of the BB84 protocol. That result uses the ideas 
of quantum error correction methods, and reduces the 
corresponding quantum protocol to an actual classically- 
assisted prepare-and-measure protocol. 

As of the year 2000 therefore, both experimental and 
theoretical QKD had made very significant advances. 
However, almost inevitably, a gap had opened between 
the two: security proofs had been derived only for very 
idealized schemes; setups had been made practical with- 
out paying attention to all the security issues. 



3. Closing the gap: 2000 to present 

The awareness of the gap was triggered by the 
discover y of photo n- numb er- splitting (PNS) at- 
tacks (Brass ard et 

Ml [2000), whic h had ac tually 



been anticipated years b ef ore (IBennettJ. 1992: 
Dusek. Haderka and Hendrvchl . Il999l : iHuttner et al. , 
19951) but had passed rather unnoticed. The focus is on 
the source: the theoretical protocols supposed single- 
photon sources, but experiments were rather using atten- 
uated laser pulses, with average photon numbers below 
one. In these pulses, photons are distributed according to 



the Poissonian statistics: in particular, there are some- 
times two or more photons, and this opens an important 
loophole. Se curity proofs could be adapted to deal 
with th e case dGottesman. Lo. Liitkenhaus and Preskill 



20041: llnamori. Liitkenhaus and Maversl 12001-2007 



Lutkenhaud . 2000l ): the extractable secret key rate was 



found to scale much worse with the distance than for 
single-photon sources (t compared to t, where t is the 
transmittivity of the quantum channel). 



It took a few years to realize that methods can 
be devised to reduce the power of PNS attacks while 
keeping the very convenient laser sources. One im- 
provement can be made by a mere change of software 
by modifying the announcements of t he BB 84 proto- 
col ( Scarani. Acin. Ribordv and Gisinl . 120041 ): in this 
SARG04 protocol, the key rate scale s as t 3 ^ 2 ( Koashil . 
120051 : |K raus. Gisin and Rennerl 120051 ). Another signif- 
icant improvement can be made by an easy change of 
hardware: by varying the quantum state along the pro- 
tocol (decoy states), one can perform a mo re complete 
test of the quantum channel ( Hwansi 120031 ). When the 
decoy state idea is applied to laser sources , the k ey rate 
scales as t (|Lo. Ma and Ched . 120051 : IWand . 120051 ). 



Parallel to this development, the field of practical 
QKD 9 has grown in breadth and maturity. New fami- 
lies of protocols have been proposed, notably cont i nuous 
variable protocols (ICerf. Levy and Van Assche . 2001 



Gottesman and Preskill, 2001; Grosshans and Grangier, 
2002al:lHillervLl2000l : lRalpiTll999l:ISilberhorn et aLl . l2002 ) 



and the more recent distributed-pha s e-reference protoco ls 
(|lnoue. Waks and Yamamota l2002t IStucki et all 120051 ). 
Critical thinking on existing setups has lead to the aware- 
ness that the security against Eve tapping on the quan- 
tum channel is not all: one should also protect the de- 
vices against more commonplace hacking attacks and ver- 
ify that information does n ot leak out in side-channels 
( Makarov and Hielmd . 12005). Since a short time, QKD 
has also reached the commercial market: at least three 
companies 10 are offering working QKD devices. New 
questions can now be addressed: in which applications 
QKD can help (jAlleaume et al., 2007), how to implement 
a network of QKD systems 11 , how to certify QKD de- 
vices for commercial markets (including the verification 
that these devices indeed fulfill the specifications of the 
corresponding security proofs) etc. 



9 The whole field of QKD witnessed many other remarkable devel- 
opments, especially in theoretical studies, which are not included 
in this paragraph but are mentioned in due place in the paper. 

10 idQuantique, Geneva (Switzerland), www.idquantique.com; 
MagiQ Technologies, Inc., New York., www.magiqtech.com; and 
Smartquantum, Lannion (France), www.smartquantum.com. 

11 This is the aim of the European Network SECOQC, 
www.secoqc.net. 
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B. Generic QKD Protocol 



1. Classical and quantum channels 



As introduced in Sec. II. B| Alice and Bob need to be 
connected by two channels. On the quantum channel, 
Alice can send quantum signals to Bob. Eve can interact 
with these signal, but if she does, the signals are changed 
because of the laws of quantum physics - the essence of 
QKD lies precisely here. 

On the classical channel, Alice and Bob can send clas- 
sical messages forth and back. Eve can listen without 
penalty to all communication that takes place on this 
channel. However, in contrast to the quantum chan- 
nel, the classical channel is required to be authenticated, 
so that Eve cannot change the messages that are being 
sent on this channel. Failure to authenticate the classical 
channel can lead to the situation where Eve impersonates 
one of the parties to the other, thus entirely compromis- 
ing the security. Unconditionally secure authentication 12 
of the classical channel requires Alice and Bob to pre- 
share an initial secret ke y or at least partially sec ret but 
identical random strings (|Renner and Woll l2003r ) . QKD 
therefore does not create a secret key out of nothing: 
rather, it will expand a short secret key into a long one, 
so strictly speaking it is a way of key-growing. This re- 
mark calls for two comments. First, key growing cannot 
be achieved by use of classical means alone, whence QKD 
offers a real advantage. Second, it is important to show 
that the secret key emerging from QKD is composable, 
that is, it can be used like a perfect random secret key in 
any task (more in Sec. III.C.2[) , because one has to use a 
part of it as authentication key for the next round. 



2. Quantum information processing 

The first step of a QKD protocol is the exchange and 
measurement of signals on the quantum channel. Al- 
ice's role is encoding: the protocol must specify which 
quantum state ^(iS^)) codes for the sequence of n sym- 
bols S n = {si, s„}. In most protocols, but not 
in all, the state ^(Sn)) has the tensor product form 
\ip(si)} <g> ... <g> \tp(s n )}. In all cases, it is crucial that the 
protocol uses a set of non-orthogonal states 13 , otherwise 



Eve could decode the sequence without introducing errors 
by measuring in the appropriate basis (in other words, a 
set of orthogonal states can be perfectly cloned). Bob's 
role is twofold: his measurements allow of course to de- 
code the signal, but also to estimate the loss of quantum 
coherence and therefore Eve's information. For this to be 
possible, non-compatible measurements must be used. 

We have described the quantum coding of QKD pro- 
tocols with the language of Prepare-and-Measure (P&M) 
schemes: Alice chooses actively the sequence S n she 
wants to send, prepares the state ^(Sn)) and sends it to 
Bob, who performs some measurement. Any such scheme 
can be immediately translated into an entanglement- 
based (EB) scheme: Alice prepares the entangled state 



1 



1 AB 



S n 



\S n ) A ® |*(<S„))j 



(4) 



where d n is the number of possible S n sequences and the 
\S n ) A form an orthogonal basis. By measuring in this 
basis, Alice learns one S n and prepares the correspond- 
ing |^(<S„)) on the sub-system that is sent to Bob: from 
Bob's point of view, nothing changes. This formal trans- 
lation obviously does not mean that both realizations are 
equally practical or even feasible with present-day tech- 
nology. However, it implies that the security proof for the 
EB protocol translates immediately to the corresponding 
P&M protocol and viceversa. 

A frequently quoted statement concerning the role of 
entanglement in QKD says that "entan glement is a nec- 
essar y condition to extract a secret key" (lAcm and Gisinl . 
120051 : ICurtv. Lewenstein and Lutkenhausl . I2004T) . Two 
important comments have to be made to understand it 
correctly. First of all, this is not a statement about imple- 
mentations, but about the quantum channel: it says that 
no key can be extracted from an entanglement-breaking 
channel 14 . In particular, the statement docs not say that 
entanglement-based implementations are the only secure 
ones. 

Second: as formulated above, the statement has been 
derived under the assumption that Eve holds a purifica- 
tion of pAB: where A and B are the degrees of freedom 
that Alice and Bob are going to measure. One may ask 
a more general question, namely, how to characterize all 
the private st ates, i.e. the states out of whic h secrecy can 
be extracted (|Horodecki et ad . 120051 [2008alibh ■ It was re- 
alized that, in the most general situation, Alice and Bob 



12 Authentication schemes that do not rely on pre-shared secrecy 
exist, but are not unconditionally secure. Since we aim at un- 
conditional security for QKD, the same level of security must 
in principle be guaranteed in all the auxiliary protocols. How- 
ever, breaking the authentication code after one round of QKD 
does not threaten security of the key that has been produced; 
one may therefore consider authentication schemes that guar- 
antee security only for a limited time, e.g. based on complexity 
assumptions. 

13 There is only one exception (Goldenbcrg and Vaidman, 1995) 
when Alice uses just two orthogonal states. Alice prepares a 
qubit in one of the two orthogonal superposition of two spatially 



separated states, then - at a random time instant - she sends one 
component of this superposition to Bob. Only later she sends the 
second component. Precise time synchronizati on be t ween Alice 
and Bob is crucial. See also Peres' criticism jPeresl 119961) , the 
authors' re ply jG oldenberg and Vaid man, 1996]) and a related 
discussion ( Koa shi and^motoTlT9*9*7l ) . Unconditional security has 
not been proved for this protocol. 

As the name indicates, a channel p — » p' = C(p) is called 
entanglement-breaking if (lcg>C)|*I'}^ s is separable for any input 
AB . A typical example of such a channel is the one obtained 
by performing a measurement on half of the entangled pair. 
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may control some additional degrees of freedom A' and 
B'\ thus, Eve is not given a purification of pab, but of 
Paa'bb>- In such situation, it turns out that pab can 
even be separable; as for paa'bb 1 , it must be entangled, 
but may even be bound entangled. The reason is quite 
clear: A' and B' shield the meaningful degrees of free- 
dom from Eve's knowledge. We do not consider this most 
general approach in what follows 15 , because at the mo- 
ment of writing no practical QKD scheme with shielding 
systems has been proposed. 



3. Classical information processing 

Once a large number N of signals have been exchanged 
and measured on the quantum channel, Alice and Bob 
start processing their data by exchanging communica- 
tion on the classical channel. In all protocols, Alice and 
Bob estimate the statistics of their data; in particular, 
they can extract the meaningful parameters of the quan- 
tum channel: error rate in decoding, loss of quantum co- 
herence, transmission rate, detection rates... This step, 
called parameter estimation, may be preceded in some 
protocols by a sifting phase, in which Alice and Bob 
agree to discard some symbols (typically, because Bob 
learns that he has not applied the suitable decoding on 
those items). After parameter estimation and possibly 
sifting, both Alice and Bob hold a list of n < N sym- 
bols, called raw keys. These raw keys are only partially 
correlated and only partially secret. Using some classi- 
cal information post-processing (see lIII.B~Tj) . they can be 
transformed into a fully secure key K of length I < n. 
The length I of the final secret key depends of course on 
Eve's information on the raw keys. 



4. Secret fraction and secret key rate 

In the asymptotic case N — ► oo of infinitely long keys, 
the meaningful quantity is the secret fraction 16 

r = lira £/n . (5) 

N^oc 

The secret fraction is clearly the heart of QKD: this is 
the quantity for which the security proofs (|II.C.3[) must 
provide an explicit expression. However, a more pro- 
saic parameter must also be taken into account as well 
in practical QKD: namely, the raw-key rate R, i.e. the 
length of the raw key that can be produced per unit time. 
This rate depends partly on the protocol: for instance, it 
contains the sifting factor, i.e. the fraction of exchanged 



symbols that is discarded in a possible sifting phase. But, 
surely enough, its largest dependence is on the details of 
the setup: repetition rate of the source, losses in the 
channel, efficiency and dead time of the detectors, possi- 
ble duty cycle, etc. In conclusion, in order to assess the 
performances of practical QKD systems, it is natural to 
define the secret key rate as the product 

K = Rr. (6) 

The whole Section IIIII will be devoted to a detailed dis- 
cussion of this quantity. 

As mentioned, these definitions hold in the asymptotic 
regime of infinitely long keys. When finite-key corrections 
are taken into account, a reduction of the secret fraction 
is expected, mainly for two reasons. On the one hand, 
parameter estimation is made on a finite number of sam- 
ples, and consequently one has to consider the worst pos- 
sible values compatible with statistical fluctuations. On 
the other hand, the yield of the classical post-processing 
contains terms that vanish only in the asymptotic limit; 
intuitively, these correction take care of the fact that se- 
curity is never absolute: the probability that Eve knows a 
n-bit key is at least 2 _n , which is strictly positive. In this 
review, we restrict our attention to the asymptotic case, 
not because finite-key corrections are negligible — quite 
the opposite seems to be true 17 — but because their esti- 
mate is still the object of on-going research fsee lVIILA.il 
for the state-of-the-art). 

C. Notions of Security 

1. Unconditional security, and its conditions 

The appeal of QKD comes mainly from the fact that, 
in principle, it can achieve unconditional security. This 
technical term means that security can be proved with- 
out imposing any restriction on the computational re- 
sources or the manipulation techniques that are available 
to the eavesdropper acting on the signal. The possibil- 
ity of achieving unconditional security in QKD is deeply 
rooted in quantum physics. To learn something about 
the key, Eve must interact with the quantum system; 
now, if the coding uses randomly chosen non-orthogonal 
states, Eve's intervention necessarily modifies the state 
on average, and this modification can be observed by the 
parties. As we discussed in Sec. II. Bl there are many 
equivalent formulations of this basic principle. However 
formulated, it must be stressed that this criterion can 
be made quantitative: the observed perturbations in the 
quantum channel allow computing a bound on the infor- 
mation that Eve might have obtained. 



15 In jSmith, Rcncs and Smolin, 2008), the formalism of private 
states is used to study pre-processing, sec lIII.B.ll 

16 Often, especially in theoretical studies, this quantity is called 
"secret key rate". In this paper, we reserve this term to J6j, 
which is more meaningful for practical QKD. 



For instance, in t he only experiment an alyzed with finite-key 
formalism to date llHaseeawa et ai, 2007), the authors extracted 
r Si 2%, whereas, for the observed error rate, the asymptotic 
bound would have yielded r > 40%! 
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Like many other technical terms, the wording "uncon- 
ditional security" has to be used in its precise meaning 
given above, and not as a synonym of "absolute secu- 
rity" — something that does not exist. As a matter of 
fact, unconditional security of QKD holds under some 
conditions. First of all, there are some compulsory re- 
quirements: 

1. Eve cannot intrude Alice's and Bob's devices to 
access either the emerging key or their choices of 
settings (we shall see in Sec. IIII.B.4I how complex 
it is to check this point thoroughly) . 

2. Alice and Bob must trust the random number gen- 
erators that select the state to be sent or the mea- 
surement to be performed. 



3. 



The classical channel is authenticated with 
unco nditionally secure p rotoc ol s, whi c h ex- 
ist (ICarter and Wegmarl 1 19791; IStinsonl . Il995t 
fWe Eman and Carted . Il98lh . 



4. Eve is limited by the laws of physics. This require- 
ment can be sharpened: in particular, one can ask 
whether security can be based on a restricted set 
of laws 18 . In this review, as in the whole field of 
practical QKD, we assume that Eve has to obey 
the whole of quantum physics. 

We shall take these requirements, the failure of which 
would obviously compromise any security, as granted. 
Even so, many other issues have to be settled, before 
unconditional security is claimed for a given protocol: 
for instance, the theoretical description of the quantum 
states must match the signals that are really exchanged; 
the implementations must be proved free of unwanted in- 
formation leakage through side-channels or back-doors, 
against which no theoretical protection can be invoked. 



2. Definition of security 

The security of a key JC can be parametrized by its 
deviation e from a perfect key, which is defined as a list 



18 As we have seen H.B.2t . intuition suggests that the security of 
QKD can be traced back to a few specific principles or laws 
like "no-cloning" or "non-locality without signaling" . One may 
ask whether this intuition may be made fully rigorous. Con- 
cretely, since any theory that does not allow signaling and is 
non-local exhibits a no-cloning theorem jBarnum et all |2006| ; 
iMasanes. Acm and Gisirl I2006T ). and since non-locality itself 
can be checked, one may hope to derive security only from 
the physical law of no-signaling. In this framework, as of to- 
day, unconditional security has been proved only in the case 
of strictly error-free channels an d for a key of vanishing length 
llBarrett. Hardy and K ent. 2005) . Only limited security has been 
proved in mo r e rea listic cases |Acrn. Gisin and Masanes, 120061 ; 
IScarani et ai. 2006). Recently, Masanes showed that uncondi- 
tional composable security can be proved if no-signaling is as- 
sumed not only between Alice and Bob, but also among the 
systems that are measured by each partner ((Masanes, 20091). 



of perfectly correlated symbols shared between Alice and 
Bob, on which Eve has no information (in particular, all 
the possible lists must be equally probable a priori). A 
definition of security is a choice of the quantity that is re- 
quired to be bounded by e; a key that deviates by e from 
a perfect key is called e-secure. The main property that a 
definition of security must fulfill is composability, mean- 
ing that the security of the key is guaranteed whatever 
its application may be — more precisely: if an e-secure 
key is used in an e'-secure task 19 , composability ensures 
that the whole procedure is at least (e + e')-secure. 

A composable definition of security is the one based on 
the t race-norm ( Ben-Or et all 120051 : iRenner and Konigl . 
l2005t ): ^Wpke — tjc ® Ae||i < s, where pk.e is the actual 
state containing some correlations between the final key 
and Eve, t/c is the completely mixed state on the set K, 
of possible final keys and pe is any state of Eve. In this 
definition, the parameter e has a clear interpretation as 
the maximum failure probability of the process of key ex- 
traction. As the dates of the references show, the issue of 
composability was raised rather late in the development 
of QKD. Most, if not all, of the early security studies 
had adopted a definition of security that is not compos- 
able, but the asymptotic bounds that were derived can 
be "redeemed" using a composable definition 20 . 



3. Security proofs 

Once the security criterion is defined, one can derive a 
full security proof, leading to an explicit (and hopefully 
computable) expression for the length of the extractable 



19 For instance, the One-Time Pad is a 0-secure task; while any 
implementation of channel authentication, for which a part of 
the key is used IH.B.lt . must allow for a non-zero e'. 

20 The early proofs defined security by analogy with the classi- 
cal definition: Eve, who holds a quantum state pe, performs 
the measurement Ai which maximizes her mutual information 
with the key K. This defines the so-called accessible informa- 
tion I a cc(IC : Pe) = m&x E=M(p E ) I(K '■ E)i an d the security 
criterion reads I a cc{fC : Pe) < £■ As for the history of claims, 
it is quite intricate. Accessib le information was f irst claimed to 
provide composable security l lBen-Or et aU |2005| ) . The proof is 
correct, but composability follows from the use of two-universal 
hashing in the privacy amplification step (see IIII.B.U . rather 
than from the properties of accessible information itself. Indeed, 
shortly later, an explicit counterexample showed that accessi- 
ble information is in general not c omposable for any reasonable 
choice of the security parameter e (iKonie e t al., 2007|). The rea- 
son why accessible information is not composable can be ex- 
plained qualitatively: this criterion supposes that Eve performs 
a measurement to guess the key at the end of the key exchange. 
But Eve may prefer not to measure her systems until the key 
is actually used in a further protocol: for instance, if a plain- 
text attack can reveal some information, Eve has certainly bet- 
ter adapt her measurement to this additional knowledge. The 
counterexample also implies that the cl assical results on priv acy 
amplification by two-universal hashing llBennett et all . Il995l ) do 
not apply and have to be replaced b y a quantum version of the 
statement iRenner and Konig, 2005). 
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secret key rate. Several techniques have been used: 

• The very first proofs by Mayers were somehow 
based on the uncertainty principle (M aversl . Il996t 
l200lf ) . This approach has b een revived recently by 
Koashi (|Koashil . 120061 I2007D . 



• Most of the subsequent security proofs have 
been based on the correspondence between 
entanglement distillation and classical post- 
processing, generaliz ing the techniq ues of 

Shor and Preskill (jShor and Preskilll |2000| ). 
For instance, the most developed security 
proofs f or imperfect devices follow this pat- 
tern ( Gottesman. Lo. Lutkenhaus and Preskilll 
I2004D . 

• The most recent techniques use rather 
information-theoretical n o tions 
Kraus. Gisin and Rennei . 20051 : 
Renner, Gisin and Kraus . l2005h . 



(Bcn-Or 



Renner 



2002; 



2005 



A detailed description on how a security proof is built 
goes beyond the scope of this review. The core lies in 
how to relate the security requirement ^Upacb — T K ® 
Pe\\i < £ to a statement about the length I of the secret 
key that can be extracted. This step is achieved using 
inequalities that can be seen as a generalization of the 
Chernoff bound. In other words, one must use or prove 
an inequality of the form 

Prob[||px;E-Tx;®A)E||i>2£] < e e - p ^ E ^ (7) 

where we omitted constant factors. From such an in- 
equality, one immediately reads that the security require- 
ment will fail with exponentially small probability pro- 
vided £ < F(p/cE,£)- Explicit security bounds will be 
provided below (Sec. IIII.B[) for the asymptotic limit of 
infinitely long keys — note that in this limit one can take 
e — ► 0, whence no explicit dependence on e is manifest in 
those expressions. 



D. Explicit Protocols 

1. Three families 

The number of explicit QKD protocols is virtually in- 
finite: after all, Bennett has proved that security can be 
obtained when c oding a b i t in j ust two non-orthogonal 
quantum states ( Bennett! |l992). But as a matter of 



fact, this possible variety has crystallized into three main 
families: discrete- variable coding (|II.F).2|) . continuous- 
variable coding pi.D.3p . and more recently distributed- 
phase-reference coding (|II.D.4[) . The crucial difference 
is the detection scheme: discrete- variable coding and 
distributed-phase-reference coding use photon counting 
and post-select the events in which a detection has ef- 
fectively taken place, while continuous-variable coding 
is defined by the use of homodyne detection (detection 
techniques are reviewed in Sec. III.G[) . 



Discrete-variable coding is the original one. Its main 
advantage is that protocols can be designed in such a way 
that, in the absence of errors, Alice and Bob would share 
immediately a perfect secret key. They are still the most 
implemented QKD protocols. Any discrete quantum de- 
gree of freedom can be chosen in principle, but the most 
frequent ones are polarization for free-space implementa- 
tions and phase-coding in fiber-based implementations 21 . 
The case for continuous-variable coding stems from the 
observation that photon counters normally feature low 
quantum efficiencies, high dark count rates, and rather 
long dead times; while these inconveniences can be over- 
come by using homodyne detection. The price to pay is 
that the protocol provides Alice and Bob with correlated 
but rather noisy realization of a continuous random vari- 
able, because losses translate into noise fsee II.B.3|) : as a 
consequence, a significant amount of error correction pro- 
cedures must be used. In short, the issue is, whether it is 
better to build up slowly a noiseless raw key, or rapidly a 
noisy one. As for distributed-phase-reference coding, its 
origin lies in the effort of some experimental groups to- 
ward a more and more practical implementation. From 
the point of view of detection, these protocols produce 
a discrete- valued result; but the nature of the quantum 
signals is very different from the case of discrete- variable 
coding, and this motivates a separate treatment. 



Despite the differences originating from the use of a 
different detection device, there is a strong conceptual 
unity underlying discrete- and continuous- variable QKD. 
To take just one example, in both cases the ability to 
distribute a quantum key is closely related to the abil- 
ity to distribute entanglement, regardless of the detec- 
tion scheme used and even if no actual entanglement is 
present. These similarities are not very surprising since 
it has long been known that the quantum features of 
light may be revealed either via photon counting (e.g., 
antibunching or anticorrelation experiments) or via ho- 
modyne detection (e.g., squeezing experiments). Being a 
technique that exploits these quantum features of light, 
QKD has thus no reason to be restricted to the photon- 
counting regime. Surprisingly, just like antibunching (or 
a single-photon source) is not even needed in photon- 
counting based QKD, we shall see that squeezing is not 
needed in homodyne-detection based QKD. The only 
quantum feature that happens to be needed is the non- 
orthogonality of light states. 



21 Other degrees of freedom have been explo red, for instance cod - 
ing in sidebands o f phase-modulated light (Mcrolla et al, 1999) 
and time-coding I IBoucher and Dcbuisschcrt, 2005). Energy- 
time e ntanglement gives also rise to a peculiar form of coding 
( iTittel et nUl200Ch . 
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2. Discrete-variable Protocols 

a. BB84-BBM. The best known discrete- variable proto- 
col is of course BB84 ( Bennett and Brassardl Il984f ) . that 
we introduced in Sec. II.BI The corresponding EB pro- 
tocol is known as BBM (Be nnett. Brassard and Merminl . 
Il992t ); the E91 protocol pkertl . Il99ll ) is equivalent to it 
when implemented with qubits. Alice prepares a single 
particle in one of the four states: 



x) , | — x) , eigenstates of a x 
y},\ — y) , eigenstates of a y 



(8) 



where the ex's are Pauli operators. The states with "+" 
code for the bit value 0, the states with "— " for the bit 
value 1. Bob measures either o~ x or <r y . In the absence of 
errors, measurement in the correct basis reveals the bit- 
value encoded by Alice. The protocol includes a sifting 
phase: Alice reveals the basis, X or Y, of each of her 
signals; Bob accepts the values for which he has used the 
same basis and discards the others 22 . 

Unconditional security of BB84-BBM has 
been proved with many different tec h niques 
(iKraus. Gisin and Rennerl. 120051: iLo and Chaul . 1 19991 : 
lMaverslll996ll200ll : IShor and Preskilll . l2000h . The same 
coding can be implemented with other sources, leading 
to a family of BB84-like protocols. We review them at 
length in Sec. HVTSl 



b. SARG04. The SARG04 
col (lAcm. Gisin and Scarani 



proto- 
12004J; 

IScarani. Acm. Ribordv and Gisinl . 120041 ) uses the 
same four states ([8]) and the same measurements on 
Bob's side as BB84, but the bit is coded in the basis 
rather than in the state (basis X codes for and basis 
Y codes for 1). Bob has to choose his bases with prob- 
ability |. The creation of the raw key is slightly more 
complicated than in BB84. Suppose for definiteness 
that Alice sends | + x): in the absence of errors, if Bob 
measures X he gets Sb = + ; if he measures Y, he may 
get both Sb = +/— with equal probability. In the sifting 
phase, Bob reveals Sb', Alice tells him to accept if she 
had prepared a state with s a ^ Sb, in which case Bob 
accepts the bit corresponding to the basis he has not 
used. The reason is clear in the example above: in the 



absence of errors, Sb = — singles out the wrong basis 23 . 

SARG04 was invented for implementations with at- 
tenuated laser sources, because it is more robust than 
BB84 against the PNS attacks. Unconditional security 
has been proved, we shall review the main results in Sec. 

EES 



c. Other discrete-variable protocols. A large number of 
other discrete-variable protocols have been proposed; all 
of them have features that makes them less interesting 
for practical QKD than BB84 or SARG04. 



The 


six-state protoco 


(iBechmann- 


3 asauinucci and Gisinl. Il999t iBennett et al\ 


19841: iBrufl 


19981) follows the same structure as BB84 



to which it adds the third mutually unbiased basis 
Z defined by the Pauli matrix a z . Its uncond itional 
security has been proved quite early (jLol . l200lh . The 
interest of this protocol lies in the fact that the channel 
estimation becomes "tomographically complete" , that 
is, the measured parameters completely characterize the 
channel. As a consequence, more noise can be tolerated 
with respect to BB84 or SARG04. However, noise is 
quite low in optical setups, while losses are a greater 
concern (see III. Fl) . Under this respect, six-state perform 
worse, because it requires additional lossy optical com- 
ponents. Similar considerations apply to the s i x-state 
version of the SARG04 codin g dTamaki and Lo . 120061 ) 



and to the Singapore protocol ( Englert et all , 20041 ). 

The coding of BB84 and six-state has been 
generalize d to larger dimensional qua ntum sys- 
tems (IBechmann-Pasauinucci and Peresl l2000t 

iBechmann-Pasauinucci and Tittel T" 2000f) . For any 



d, protocols that use either two o r d + 1 mutuall y 
unbiased bases have been defined ( Cerf et all, [2002). 



Unconditional security was not studied; for restricted at- 
tacks, the robustness to noise increases with d. Time-bin 
coding allows producing ri-dimen sional quantum states 



ot light m a rath e r nat ural way (|L»e Kiedmatten et all 
l2004t i lThew et all |2004 . However, the production and 
detection of these states requires d-avm interferometers 
with couplers or switches, that must moreover be kept 
stable. Thus again, the possible advantages are overcome 
by the practical issues of losses and stability. 



Fin ally, we have to mention the B92 protocol ( Bennett! 



I1992D . which uses only two non-orthogonal states, each 
one coding for one bit-value. In terms of encoding, 
this is obviously the most economic possibility. Un- 



In the original version of BB84, both bases are used with the 
same probability, so that the sifting factor is p a ift = \, i.e. only 
half of the detected bits will be kept in the raw key. But the 
protocol can be made asymmetric w ithout changing the security 
ilLo. Chau and Ardehall Il998-200l) : Alice and Bob can agree 
on using one basis with probability 1 — e where e can be taken 
as small as one wants, so as to have p a ift ~ 1 (recall that we 
are considering only asymptotic bounds; in the finite key regime , 
the o ptimal value of e can be computed l|Scarani and Renned . 
12008ft ). 



In an alternative version of the sifting, Alice reveals that the 
state she sent belongs to one of the two sets {\s a x}, \ s a y)}, and 
Bob accepts if he has detected a state s;, ^ s a . This is a sim- 
plified version with respect to the original proposal, where Alice 
could declare any of the four sets of two non-orthogonal states. 
The fact, that the two versions are equivalent in terms of secu- 
rity, was not clear whe n the first rigorous bounds were derived 
l lBranciard et all , |2005|) . but was verified later. 
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fortunately, B92 is a rather sensitive protocol: as no- 
ticed already in the original paper, this protocol is se- 
cure only if some other signal (e.g. a strong reference 
pulse) is present along with the two states that code the 
bit. Unconditional security has been proved for single- 
photon implementations (ITamaki, Koashi and Imotcl 
120031 ; iTamaki and Liitkenhausl . I2004T ) and for s ome im- 
plem e ntations with a str ong reference pulse ( Koashil . 
12004 ITamaki et al\ . 120061 ). Incidentally, SARG04 may 
be seen as a modified B92, in which a second set of 
non-orthogonal states is added — actually, an almost 
forgotten prot o col s erved as a link between the two 
([Huttner et aLl . ll995l ). 



3. Continuous-variable Protocols 

Discrete- variable coding can be implemented with sev- 
eral sources, but requires photon-counting techniques. 
An alternative approach to QKD has been suggested, in 
which the photon counters are replaced by standard tele- 
com PIN photodiodcs, which are faster (GHz instead of 
MHz) and more efficient (typically 80% instead of 10%). 
The corresponding schemes are then based on homodyne 
detection pi.G.2|) and involve measuring data that are 
real amplitudes instead of discrete events; hence these 
schemes are named continuous- variable (CV) QKD. 

The first proposals suggest ing the use of homodyne de- 
tection in QKD are due to (|Hillervl . l2000t iRalphl . Il999t 
iReidl . |2000| ). In parti cular, a squee zed-state version of 
BB84 was proposed in (|Hillervl . [20001. where Alice's basis 
choice consists of selecting whether the state of light sent 
to Bob is squeezed in either quadrature q — x or q = p. 
Next, this q-squeezed state is displaced in q either by +c 
or — c depending on a random bit chosen by Alice, where 
c is an appropriately chosen constant. Bob's random ba- 
sis choice defines whether it is the x or p quadrature that 
is measured. The sifting simply consists in keeping only 
the instances where Alice and Bob's chosen quadratures 
coincide. In this case, the value measured by Bob is dis- 
tributed according to a Gaussian distribution centered 
on the value (+c or — c) sent by Alice. In some sense, 
this protocol can be viewed as "hybrid" because Alice's 
data are binary while Bob's data are real (Gaussian dis- 
tributed). 

These early proposals and their direct generalization 
are called CV protocols with discrete modulation; at the 
same time, another class of CV protocols was proposed 
that rather use a continuous modulation, in particular a 
Gaussian modulation. Although CV protocols are much 
more recent than discrete- variable protocols, their secu- 
rity proofs have been progressing steadily over the last 
years, and are now close to reach a comparable status: 
see a thorough discussion in Sec. IV. Al 



a. Gaussian protocols. The first proposed Gaussian QKD 
protocol was based on squeezed states of light, which are 



modulated with a Gaussian distribution in the x or p 
quadrature by Alice, and are measured via homody ne de- 
tection by Bob (|Cerf. Lew and Van Asschd . [20011) . This 
protocol can be viewed as the proper continuous- variable 
counterpart of BB84 in the sense that the average state 
sent by Alice is the same regardless of the chosen basis (it 
is a thermal state, replacing the maximally- mixed qubit 
state in BB84). The security of this protocol can be 
analyzed using the connection with cont inuous- variable 
cloning (|Cerf. Ipe and Rottenberel . [2000); using a con- 
nection with quantum error-correcting codes, uncondi- 
tional s ecurity was proved when the squeezing exceeds 
2.51 dB (|Gottesman and Preskil]ll200l[) . The main draw- 
back of this protocol is the need for a source of squeezed 
light. 

A second Gaussian QKD protocol was therefore de- 
vised, in which Alice generates coherent states of 
light, which are then Gaussian modulated both in 
x an d p, while Bob still performs homodyne detec- 
tion ( Grosshans and Grangieit l2002al ) . A first proof-of- 
principle experiment, supplemented with the technique 
of reverse reconciliation , was run with bulk optical ele- 
ment s on an optics table ( Grosshans. Van Assche et all 
2003). Subsequent experiments have used optical fibers 
and telecom wavelengths. The scheme was thus imple- 
mented over distances up to 14 km using a P lug&Play 
configuration ( Legre. Zbinden and Gisinl . 120061 ). then up 
to 25 km by time-multiplexing the local oscillator pulses 
with the signal pulses in the same optic al fiber and usin 



an improved classical post-pr o cessin g ([Lodewvck et 
120051; lLodewvck. Bloch et all 120071 ). Another fiber- 
based implementation over 5 km has been reported 
(|Qi. Huang et aZ.I . l2007h . 

Note that, in these two first protocols, Bob randomly 
chooses to homodyning one quadrature, either x or p. In 
the squeezed-state protocol, this implies the need for sift- 
ing. Bob indeed needs to reject the instances where he 
measured the other quadrature than the one modulated 
by Alice, which results in a decrease of the key rate by a 
factor of 2 (this factor may actually be reduced arbitrar- 
ily close to 1 by making an asymmetric choice between x 
and p, provided that the key length is sufficiently large) 
Chau and Ardehalil . Il998-2005l) . In the coherent- 
state protocol, Alice simply forgets the quadrature that 
is not measured by Bob, so that all pulses do carry useful 
information that is exploited to establish the final secret 
key. 

The fact that Alice, in this second protocol, dis- 
cards half of her data may look like a loss of efficiency 
since some information is transmitted and then lost. A 
third Gaussian QKD protocol was therefore proposed 



24 In all Gaussian QKD protocols, reversing the one-way reconcil- 
iation procedure (i.e., using Bob's measured data instead of Al- 
ice's sent data as the raw key) is beneficial in terms of attainable 
range, provided that the noise is not too large. We will come 
back to this point in Section IVl 
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( Weedbrook et all . l2004f ). in which Alice still transmits 
doubly-modulated coherent states drawn from a bivari- 
ate Gaussian distribution, but Bob performs heterodyne 
instead of homodyne measurements 25 , that is, he mea- 
sures both x and p quadratures simultaneously. At first 
sight, this seems to imply that the rate is doubled since 
Bob then acquires a pair of quadratures (x,p). Actually, 
since heterodyne measurement effects one additional unit 
of vacuum noise on the measured quadratures, the two 
quadratures received by Bob are noisier than the single 
quadrature in the homodyne-based protocol. The net ef- 
fect, however, is often an increase of the key rate when 
the two quadratures are measured simultaneously In 
addition, a technological advantage of this heterodyne- 
based coherent-state protocol is that there is no need to 
choose a random quadrature at Bob's side (that is, no 
active b asis choice is needed ). The experiment has been 
realized (jLance et al. I. I2005h . 

Finally, a fourth Gaussian QKD pro tocol was in- 
troduced recently ( Garcia-Patronl 120071 ). which com- 
pletes this family of Gaussian QKD protocols. Here, 
Alice sends again squeezed states, as in the proto- 
col of ( Cerf. Lew and Van AsscheLl200lh . but Bob per- 
forms heterodyne measu rements , as in the protocol of 
(Wee dbrook et aD, \2004) . This protocol is associated 
with the highest rate and range among all Gaussian QKD 
protocols, but requires a source of squeezed light. 

As seen in the discussion about BB84 and SARG04 
above, it turns out also for the CV QKD protocols that 
the classical processing is an essential element of the 
protocol. As will be discussed later (|V.A|) . the per- 
formance of CV-QKD protocols depends crucially on 
the exact protocol that extracts the secret key from 
the experimental data. Two important tools h ere are 
reverse reconciliati on dGrosshans and Grangierl l2002af) 
and post-selection (ISilberhorn et aLl . l2002f ). As shown in 
(|Heid and Liitkenhausl . I2007T ). the combination of both 
will lead to the optimal key rate. 



b. Discrete-modulation protocols. On the side of practical 
implementation, it is desirable to keep the number of sig- 
nals as low as possible, and also to minimize the number 
of parameters in the detection process that needs to be 
monitored. The deep reason behind this is that in prac- 
tical implementation at some stage one has to consider 
finite size effects in the statistics and also in the security 
proof stage. For a continuous family of signals, it will be 
intuitively harder to get hold of these finite size effects 
and to include statistical fluctuations of observations into 
a full security proof. 

For this reason, it becomes interesting to have a look 



at QKD systems that combine a finite number of sig- 
nals with the continuous variable detection schemes: 
discrete-modulation protocols have been devised follow- 
ing this proposal, s ome based on coherent states instead 
of squeezed states ( Silberhorn et all I2002T ) . The signals 
consist here of a weak coherent state together with a 
strong phase reference. The signal is imprinted onto the 
weak coherent state by setting the relative optical phase 
between weak coherent state and reference pulse either 
to or tt. Schematically, the strong phase reference could 
be represented by two local oscillators, e.g. phase-locked 
lasers at the sending and receiving station. These type 
of sig nals have been u sed already in the original B92 pro- 
tocol (|Bennettl . lT992l ). The receiver then uses the local 
oscillator in the homodyne or heterodyne measurement. 
The security of this protocol is still based on the fact 
that the weak signal pulses represent non-orthogonal sig- 
nal states. 

On the receiver side, homodyne detection is performed 
by choosing at random one of the two relevant quadra- 
ture measurement (one quadrature serves the purpose 
of being able to measure the bit values, the other one 
serves the purpose to monitor the channel to limit possi- 
ble eavesdropping attacks). Alternatively, a heterodyne 
measurement can, in a way, monitor both quadratures. 
Consider for definitcness a simple detection scheme, in 
which bit-values are assigned by the sign of the detec- 
tion signal, + or — , with respect to the half-planes in 
the quantum optical phase space in which the two sig- 
nals reside. As a result, both sender and receiver have 
binary data at hand. As in the case of Gaussian modu- 
lation, they can now perform post-selection of data, and 
use error-correction and privacy amplification to extract 
secret keys from these data. 



4. Distributed-phase-reference Protocols 

Both discrete- and continuous-variable protocols have 
been invented by theorists. Some experimental groups, in 
their developments toward practical QKD systems, have 
conceived new protocols, which do not fit in the cate- 
gories above. In these, like in discrete-variable protocols, 
the raw keys are made of realizations of a discrete variable 
(a bit) and are already perfectly correlated in the absence 
of errors. However, the quantum channel is monitored us- 
ing the properties of coherent states — more specifically, 
by observing the phase coherence of subsequent pulses; 
whence the name distributed-phase-reference protocols. 

The first such pr otocol has been called Differential- 
Phas e-Shift (DPS) H noue. Waks and Yamamotol . 120021 
120031 ). Alice produces a sequence of coherent states of 
same intensity 



MSn)) 



\e^-^)\e^^JJ)\e^^JI)... (9) 



25 This poss ibility was also suggested for postsel ection-based pro- 
tocols in l|Lorenz. Ko rolkova and Leuchs, 2004), and the experi- 
ment has been performed llLorenz**er*aU I2OO6O , 



where each phase can be set at ip = or tp = tt 
(Fig. [21). The bits are coded in the difference between 
two successive phases: bk = if e iVk = e lipk + 1 and 
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FIG. 2 The two distributed-phase reference protocol: differ- 
ential phase shift (DPS, top) and coherent one-way (COW, 
bottom). Legend: PM: phase modulator; IM: intensity mod- 
ulator. See text for description. 



E. Sources 

1. Lasers 

Lasers are the most practical and versatile light sources 
available today. For this reason, they are chosen by the 
vast majority of groups working in the field. Of course, 
all implementations in which the source is a laser are 
P&M schemes. For the purposes of this review, we don't 
have to delve deep into laser physics. The output of a 
laser in a given mode is described by a coherent state of 
the field 



\y/jie") = \a) 



E 

71=0 



(11) 



where fi = \a 2 \ is the average photon number (also called 
intensity) . The phase factor e is accessible if a reference 
for the phase is available; if not, the emitted state is 
rather described by the mixture 



f\a){a\ = Y,P{n\ti\n){n\ (12 



bk = 1 otherwise. This can be unambiguously discrim- 
inated using an unbalanced interferometer. The com- 
plexity in the analysis of this protocol lies in the fact 

that |*(«S n )) M&i)) ® •■■ ® IV>( & n)> : tne fc " th P mse 
contributes to both the fc-th and the (k + l)-st bit. 
The DPS protocol has been alre ady the object of sev- 
eral experimental demonst rations ( Diamanti et q?J . l2006t 
iTakesue et qll . I2005L [2007h . 

In the p r otoco l called Coherent- One- Way ( CO W) 
(iGisin et all 120041 : IStuckf et al. I. I2005D . each bit is coded 
in a sequence of one non-empty and one empty pulse: 



with 



10) 



2/.- 



|0) 2fc _ 1 l v / M) 2fc - (io) 



These two states can be unambiguously discriminated 
in an optimal way by just measuring the time of ar- 
rival (Fig. [5]). For the channel estimation, one checks 
the coherence between two successive non-empty pulses; 
these can be produced on purpose as a "decoy sequence" 

Iv^fc-ilv^k' or can ha PP en as Ia/^Iv^Wi 

across a bit separation, when a sequence |l) fc |0) fc+1 is 
coded. This last check, important to detect PNS attacks, 
implies that the phase between any two successive pulses 
must be controlled; therefore, as it happened for DPS, 
the whole sequence must be considered as a single signal. 
A prototype of a full QKD system based on COW has 
been reported recently ( Stucki et all l2008h . 

Both DPS and COW are P&M schemes, tailored for 
laser sources. It has not yet been possible to derive a 
bound for unconditional security, because the existing 
techniques apply only when |\Ij(<S n )) can be decomposed 
in independent signals. We shall review the status of 
partial security proofs in Sec. IVIl 



P(n\n) 



(13) 



Since two equivalent decompositions of the same density 
matrix cannot be distinguished, one may say as well that, 
in the absence of a phase reference, the laser produces a 
Poissonian mixture of number states. 

The rando mization of 9 generalizes to multimode cq - 
herent states (|M0lmeii li"997t Ivan Enk and Fuchsl . l2002fh 
Consider for instance the two-mode coherent state 



i(e+ip)\ 



that may describe for instance a 



weak pulse and a reference beam. The phase (p is the rel- 
ative phase between the two modes and is well-defined, 
but the common phase 9 is random. One can then carry 
out the same integral as before; the resulting p is the Pois- 
sonian mixture with average photon number (i + fjf and 
the number states generated in the mode described by 
the creation operator = [e lip y/fla\ + ^fp7a}^) I yj \i + \i' . 

Let us turn now to QKD. The existence of a refer- 
ence for the phase is essential in both continuous- variable 
and distributed-phase-reference protocols: after all, these 
protocols have been designed having specifically in mind 
the laser as a source. On the contrary, when attenuated 
lasers are used to approximate qubits in discrete proto- 
cols, the phase reference does not play any role. In this 
implementations, p given in (|12p is generically 26 an accu- 
rate description of the quantum signal outside Alice's lab. 



26 One must be careful though: the fact that the phase reference is 
not used in the protocol does not necessarily mean that such a 
reference is physically not available. In particular, such reference 
is available for some source, e.g. when a mode-locked laser is used 



16 



Since p commutes with the measurement of the number of 
photons, this opens the p ossibility of the photon- number- 
splitt i ng (PNS) at tacks (jBennetd . Il992t IBrassard et all 
120001 : iLiitkenhausl . |2000|) . a major concern in practical 
QKD that will be addressed in Sec. IIII.B.3I 



2. Sub-Poissonian Sources 

Sub-Poissonian sources (sometimes called "single- 
photon sources") come closer to a single-photon source 
than an attenuated laser, in the sense that the proba- 
bility of emitting two photons is smaller. The quantum 
signal in each mode is taken to be a photon-number diag- 
onal mixture with a very small contribution of the multi- 
photon terms. The quality of a sub-Poissonian source is 
usually measured through the second order correlation 
function 



92 (t) = 



I(t)I(t 



my 



(14) 



where I(t) is the signal intensity emitted by the source 
and : — : denotes normal ordering of the creation and an- 
nihilation operators. In particular, 32(0) ~ 2p(2)/p(l) 2 , 
while p(n) is the probability that the source emits n pho- 
tons. For Poissonian sources, 52(0) = 1; the smaller 
g 2 (0), the closer the source is to an ideal single-photon 
source. It has been noticed that the knowledge of the 
efficiency and of g 2 is enough to characterize the perfor- 
mance of such a source in an i mplem entation of BB84 
( Waks. Santori and Yamamotd . [2003 ) . 

Sub-Poissonian sources have been, and still are, the 
object of intensive research; r ecent reviews cover the 
most meaning ful developments ( Lounis and Orritl 120051 : 



most meaning 

IShieldsL 120071 ). In the context of QKD, the discovery of 
PNS attacks triggered a lot of interest in sub-Poissonian 
sources, because they would reach much higher secret 
fractions. QK D experiments h a ve been performed with 
such sources (lAlleaume et all 12004 iBeveratos et al 
2002t IWaks et all l2002f ). also in fibers (jlntallura et al 



20071 ) thanks to the development of sources at tele- 



com wavelengths ( Saint-Girons et all , l2006t I Ward etHJl , 
2005; Z mom et aLl l2006l )r At the moment of writing, this 
interest has significantly dropped, as it was shown that 
the same rate can be achieved with lasers by using decoy 
states, see IIV.B.3I and IIV.B.41 But the tide may turn 
again in the near f uture, for applica t ions i n QKD with 
quantum repeaters ( Sangouard et al] , l2007f) . 



3. Sources of Entangled Photons 

Entangled photon pairs suitable for entanglement- 
based protocols or for heralded sub-Poissonian sources 
are mostly generate d by spontaneous p aram etric down 
conversion (SPDC) (|Mandel and Woli Il995l) . In this 
process some photons from a pump laser beam are con- 
verted due to the non-linear interaction in an optical crys- 
tal 27 into pairs of photons with lower energies. The total 
energy and momentum are conserved. In QKD devices, 
cw-pumped sources are predominantly used. 

In the approximation of two output modes, the state 
behind the crystal can be described as follows 



PDC 



(15) 



71=0 



where A = tanh £ with £ proportional to the pump ampli- 
tude, and where |wa 7 «_b) denotes the state with n pho- 
tons in the mode destined to Alice and n photons in the 
other mode aiming to Bob. This is the so called two- 
mode squeezed vacuum. 

The photons are entangled in time and in frequen- 
cies (energies); one can also prepare pairs of pho- 
tons correlated in other deg rees of free dom: polariza- 
tion dKwiat et aZ-L 1 1 995L 1 19991 ) . time bins (jBrendel et all 
Il999fc iTittel et all 12000). momenta (dire ctions) , or or- 
bital angular momenta (jMair et all l200l[ ) . 

The state (|15|) can be directly utilized in continuous- 
variable protocols. In the case of discrete- variable 
protocols, one would prefer only single pair of pho- 
tons per signal; however, SPDC always produces multi- 
pair components, whose presence must be taken into 
account. Let us describe this in the four- mode ap- 
proximation, which is suf ficient fo r the description of 
fs-pulse pumped SPDC (|Li et all l2005f ). An ideal 
two-photon maximally entangled state reads = 
A= (|1, 0) A |1, 0) fl + |0, 1)^10, 1) B ) where each photon can 

be in two different modes (orthogonal polarizations, dif- 
ferent time-bins...). This state can be approximately 
achieved if A <C 1, i.e. if the mean pair number per pulse 
H = 2A 2 /(1 — A 2 ) <C 1. But there are multi-pair compo- 
nents: in fact, again in the case of a four- mode approxi- 
mation, the generated state reads 

|*> « Vp(o)|o> + VpO)I*2> + Vp(2)I*4) (16) 

where p(l) w fj, and p{2) ss |/it 2 , |0) is the vacuum state, 
and the four-photon state is |* 4 ) = (|0, 2)|Q, 2) + 



to produce pulses. In such cases, even though Alice and Bob 
don't use the phase coherence in the protocol, the signal is no 
longer correctly described by H12I I, and Eve can in principle take 
advantage of the existi ng coherence to obtain more information 
l|Lo and PreskillL |2007|V_ Therefore it is necessary to implemen t 
active randomization iGisin et aUl2006l;IZhao. Qi and Lc] . l2007ri . 



Crystals like KNb0 3 , LUO3, LiNb0 3 , /3-BaB 2 4 , etc. 
Very promising ar e periodically-poled nonlinear materials 
l lTanzilli at nij ,| 20 01). Besides the spontaneous parametric down 
conversion, new sources of enta ngled photons based on quantum 
dots are tested in laboratories (Young at al., 2006). But these 
sources are still at an early stage of development. Their main 
drawback is the need of cryogenic environment. 
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|2, 0)| 2, 0) + |1, 1) |1, 1>) . We recall that this description is 
good for short pump pulses; when a cw-pumped source 
is used (or the pulse-pumped source with the pulse du- 
ration much larger than the coherence time r of the 
down-converted photons) the four-mode approximation 
is not applicable and a continuum of frequency modes 
must be taken into account. The multiple excitations 
created during the coherence time r are coherent and 
partially correlated: in this case, the four-photon state 
is a fully entangled state that cannot be written as "two 
pairs" — see |\&4) above 28 . However, r is usually much 
shorter than the typical time At that one can discrimi- 
nate, this time being defined as the time resolution of the 
detectors for cw-pumped sources 29 or as the duration of 
a pulse for pulsed sources. This implies that, when two 
photons arrive "at the same time" , they may actually 
arise from two incoherent processes, and in this case the 
observed statistics corresponds to that of two indepen- 
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What concerns us here is the advantage that Eve may 
obtain, and in particular the efficiency of PNS attacks. If 
the source is used in a P&M scheme as heralded single- 
photon source, then the PNS attack is effective as usual, 
because all the photons that travel to Bob have bee n 
actively prepared in the same state ( Lutkenhausl l2000h : 
i deas inspired from decoy states can be used to dete ct it 
(|Adachi et all l2007t iMauerer and Silberhornl . I2007D . In 
an EB scheme, the PNS attack is effective on the frac- 
tion £ w t I At of coherent four-photon states; besides, 
all multi-pair contributions inevitably produce errors in 
the correlations Alice-Bob. We shall come back to these 
points in Sec. IIV.B.5I 



F. Physical Channels 

As far as the security is concerned, the quantum chan- 
nel must be characterized only a posteriori, because Eve 
has full freedom of acting on it. However, the knowledge 
of the a "priori expected behavior is obviously important 
at the moment of designing a setup. We review here the 
physics of the two main quantum channels used for light, 
namely optical fibers and free space beams. 

An important parameter of the quantum channel is the 
amount of losses. Surely enough, a key can be built by 
post-selecting only those photons that have actually been 



28 Though a nuisance in qubit-based protocols, the existence of such 
four photon components can lead to new opportunities for QKD , 
as p ointed out independently in l lBrassard. Mor and Sanders! . 
l200Ch and l|Durkin et qZj.l2002t) . 

29 However, a recent entanglement-swapping experiment combined 
fast det ectors and na r row fi lters to achieve At < r in cw-pumped 
SPDC ( Haider et am2007l) . 



detected. But, since quantum signals cannot be ampli- 
fied, the raw key rate decreases with the distance as the 
transmission t of the channel; in addition, at some point 
the detection rate reaches the level of the dark counts 
of the detectors, and this effectively limits the maximal 
achievable distance. Finally, in general the lost photons 
are correlated to the signal and thus must be counted as 
information that leaked to Eve. 

Concerning the interaction of photons with the envi- 
ronment in the channel, the effect of decoherence depends 
strongly on the quantum degree of freedom that is used; 
therefore, although weak in principle, it cannot be fully 
neglected and may become critical in some implementa- 
tions. 



1. Fiber Links 

The physics of optical fibers has been explore d in depth 
becau se of its importance for communication ( AgrawaH 
Il997l) . When we quote a value, we refer to the specifi- 
cations of the standard fiber Corning SMF-28 (see e.g. 
www.ee.byu.edu/photonics / connectors. parts / smf28.pdf) ; 
obviously, the actual values must be measured in any 
experiment. 

The losses are due to random scattering processes and 
depend therefore exponentially on the length I: 



t = io- q£/1 °. 



(17) 



The value of a is strongly dependent on the wavelength 
and is minimal in the two "telecom windows" around 
1330nm (a ~ 0.34dB/km) and 1550nm (a ~ 0.2dB/km). 

The decoherence channels and their importance vary 
with the coding of the information. Two main effects 
modify the state of light in optical fibers. The first 
effect is chromatic dispersion: different wavelengths 
travel at slightly different velocities, thus leading to 
an incoherent temporal spread of a light pulse. This 
may become problematic as soon as subsequent pulses 
start to overlap. However, chromatic dispersion is a 
fixed quantity for a given fiber, and can be c ompcn- 
sated (jFasel. Gisin. Ribordv and Zbindenl . 12004) . The 
second effect is polariza tio n mo de dispersion (PMD ) 
(IGaltarossa and MenvukL I2005L [G isin and Pellauxl . 
I1992D . This is a birefringent effect, which defines a fast 
and a slow polarization mode orthogonal to one another, 
so that any pulse tends to split into two components. 
This induces a depolarization of the pulse. Moreover, 
the direction of the birefringence may vary in time due 
to environmental factors: as such, it cannot be compen- 
sated statically. Birefringence effects induce decoherence 
in polarization coding, and may be problematic for all 
implementations that require a control on polarization. 
The importance of such effects depend on the fibers and 
on the sources; recent implementations can be made 
stable, even though they use a rather broadband source 
(Hti bel et ad 120071) . 
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2. Free Space Links 

A free space QKD link can be used in several 
very different scenarios, from short distance linc- 
of-sight links with small telescopes mounted on 
rooftops in urban areas, to ground-space or even 
space-space links, involving the use of astronomi- 
cal telescopes (see also IVIII.A.41) . Free-space QKD 
has been demonstrated in both the prepa r e- and- 



measure (iButtler et all Il998t iHughes et all 12002 : 



Kurtsiefer et al. , 20021 : iRaritv. Gorman and Tapster 



20011 ) a nd the en tangle me nt-based co nfigu- 



rations (lErven et all 20081: Ling et~al\ . 



Marcikic. Lamas-Linares and Kurtsiefe: 



Ursin et all |2007) 



2008; 



2006; 



The decoherence of polarization or of any other de- 
gree of freedom is practically negligible. The losses can 
roughly be divided into geometric and atmospheric. The 
geometric losses are related with the apertures of receiv- 
ing telescopes and with the effective aperture of the send- 
ing telescope (the one perceived by the receiving tele- 
scope, which is influenced by alignment, moving build- 
ings, atmospheric turbulence etc.). The atmospheric 
losses are due to scattering and to scintillation. Con- 
cerning scattering, within the 700-10. OOOnm wavelength 
range there are several 'atmospheric transmission win- 
dows', e.g. 780-850nm and 1520-1600nm, which have an 
attenuation a < O.ldB/km in clear weather. Obviously, 
the weather conditions influence hea vily such losses; nu- 
merical values are availab le, see e.g. ([Bloom et aLl . l2003t 
iKim and Korevaarl 1200 if ). A simple model of the losses 
for a line-of-sight free space channel of length t is there- 

2 

10 -a£/10 where the first 



fore given by t « (jpfre) 



term is an estimate of the geometric losses (d s and d r are 
the apertures of the sending and receiving telescopes, D 
is the divergence of the beam) and the second describes 
scattering (a is the atmospheric attenuation). We note 
that this formula does not account for scintillation, which 
is often the most critical factor in practice. 



G . Detectors 

1. Photon Counters 



parameters are listed in Table U 

The most commonly used photon counters in discrete- 
variable systems are avalanche photodiodes (APD). 
Specifically, for wavelengths from the interval approx- 
imately 400-1000 nm Si APD can be used, for wave- 
lengths from about 950 nm to 1650 nm, including tele- 
com wavelengths, InGaAs/InP diodes are most often 
applied. A whole savoir-faire on the use of APDs 
has originated in the field of QKD dCova et all 12004 
iGisin. Ribordv. Tittel and Zbindenl . [2002) . Because they 
can be operated with thermo-electric cooling, these de- 
tectors are an obvious choice for p ractical QKD, and in 
particular for c omme rcial devices ( Ribordv et all 12004 
iTrifonov et all 12004 ). Two recent developments are 
worth mentioning. First: instead of direct use of In- 
GaAs APDs, one can detect signals at telecom wave- 
lengths (1310 nm and 1550 nm) by applying parametric 
frequen cy up-conversion and then using efficien t silicon 
APDs (|Diamanti et all 120051: iThew et all 120061) . Com- 
pared with InGaAs APDs, these up-conversion detectors 
have lower quantum efficiency but could in principle be 
operated in continuous mode thus leading to repetition 
rates (GHz); however, as of today's knowledge, they suf- 
fer from an intrinsic noise source that leads to high dark 
count rates. Second: more recently, an improvement 
of the repetition rate and count rate by several orders 
of magnitude has been obtained by using a circuit that 
compares the output of the APD with that in the pre- 
ceding clock cycle; such devices have been named self- 
differencing APDs (Yuan et aLl . l2007[ ). 



Single-photon detectors other than APDs have been 
and are being developed. For instance, Visi- 
ble Light Photon Counters are semiconductor detec- 
tors that can al so disting u ish t h e number o f im- 
pinging photons (IKim et all 1 19991 IWaks et all 120031: 
IWaks. Diamanti and Yamamotol |2006| ). Other photon- 
counters are based on superconductors, for instance Su- 



perconducti ng Single Photon Detectors (Verevkin et al. 



2002, 2004) a nd Transition E dge Sensors ([Miller et al. 



120031 ; iRosenberg et all l2005t ): bot h types have b e en al- 
ready used in QKD experiments (Hadfi eTd et all 120061 : 
iHiskett et all , 120061: [Rosenberg et all l2007l \20m . Each 
type has its own strong and weak features; in particular, 
all of them must be operated at cryogenic temperatures. 



Discrete- variable protocols use photon-counters as de- 
tectors. The main quantities characterizing photon- 
counters are the quantum efficiency r\ that represents the 
probability of a detector click when the detector is hit by 
a photon, and the dark-count rate pd characterizing the 
noise of the detector - dark counts are events when a 
detector sends an impulse even if no photon has entered 
it. An important parameter is also the dead time of the 
detector, i.e. the time it takes to reset the detector af- 
ter a click. These three quantities are not independent. 
Most often, the overall repetition rate at which the de- 
tector can be operated is determined by the dead time. 
For each of the detectors discussed below, the meaningful 



2. Homodyne Detection 

Continuous-variable QKD is based on the measure- 
ment of quadrature components of light. This can con- 
veniently be done by means of optical homodyne detec- 
tion. This detection scheme uses two beams of the same 
frequency: the signal and the so-called local oscillator 
(much stronger and therefore often treated as classical). 
The beams are superimposed at a balanced beam split- 
ter. The intensity of light in each of the output modes 
is measured with proportional detectors, and the differ- 
ence between the resulting photocurrents is recorded. If 
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Name 
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Si 
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50-200 


250 


N 


InGaAs 
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Others: 


















VLPC 


650 


58-85% 


20kHz 


cw 


0.015 


N.A. 


6 
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SSPD 


1550 


0.9% 


100Hz 


cw 


N.A. 


68 


2.9 


N 


TES 


1550 


65% 


10Hz 


cw 


0.001 


9xl0 4 


0.1 


Y 



TABLE I Overview of typical parameters of single-photon de- 
tectors: detected wavelength A, quantum efficiency rj, fraction 
of dark counts Pd (g: gate), repetition rate (cw: continuous 
wave), maximum count rate, jitter, temperature of operation 
T; the last column refers to the possibility of distinguishing 
the photon numbers. For acronyms and references, refer to 
the main text. 



the amplitude and the phase of the local oscillator are 
stable, the differential current carries information about 
a quadrature component of the input signal — what 
quadrature component is actually measured depends on 
the phase difference between the signal and local oscil- 
lator. To keep this phase difference constant, the signal 
and local oscillator are usually derived from the same 
light source: the local oscillator beam needs to be trans- 
mitted along with the signal from Alice to Bob; in prac- 
tice, they are actually sent through the same channel, 
so that they experience the same phase noise and the 
relative phase remains unaltered — note however that 
this practical change may render the scheme completely 
insecure, unless additional measurements are performed 
to veri fy the character of both the weak and th e strong 
signal (jHaseler. Moroder and Liitkenhausl . 120081 ). 

The intensities are measured by PIN diodes, which 
provide high detection efficiency (typically 80%) and 
relatively low noise. Therefore homodyne detection 
could in principle operate at GHz repetition rates 
()Camatel and Ferrerol . 12006) in contrast to photon coun- 
ters based on APDs, whose detection rate is limited by 
the detector dead-time. 

The use of such a high-rate homodyne detection tech- 
nique unfortunately comes with a price. Because of 
the uncertainty principle, the measurement of comple- 
mentary quadratures is intrinsically noisy. The vacuum 
noise (or intrinsic noise) is the noise obtained when 
there is vacuum in the signal port (only the local os- 
cillator is present). Now, the unavoidable transmission 
losses in the optical line, which simply cause "missing 
clicks" in photon-counting based schemes, result in a de- 
crease of the signal-to-noise ratio in homodyne-detection 
based schemes. The vacuum noise is responsible for 
a rather significant added noise in continuous-variable 
QKD, which needs to be corrected during the classical 
post-processing stage: an additional computing effort in 
continuous- variable QKD. 



In addition to the vacuum noise, an excess noise is gen- 
erated mainly by detectors themselves and by the subse- 
quent electronics. In real systems, it is possible to reduce 
the excess noise even 20 dB below the shot noise; but this 
ratio depends on the width of the spectral window, and 
narrow spectral windows bound the modulation frequen- 
cies (i.e. the repetition rates). 



H. Synchronization and alignment 

I. Generalities 

The problem of the synchronization of two distant 
clocks, in itself, is a technical matter that has been solved 
efficiently in several different ways; basically, either one 
sends out a synchronization signal at regular intervals 
during the whole protocol, or one relies on an initial syn- 
chronization of two sufficiently stable clocks. In the con- 
text of QKD, one has to consider possible hacking attacks 
that would exploit this channel (more in Sec. IIII.B.4|) . 

The physical meaning of alignment depends on the 
coding. For coding in polarization, it obviously means 
that Alice and Bob agree on the polarization directions. 
For phase coding, it refers rather to the stabilization of in- 
terferometers. Both procedures are most often performed 
by sending a servoing signal at a different frequency than 
the quantum signal, taking advantage of the bandwidth 
of the optical channel. Alternatively, self-stabilized se- 
tups have been proposed: this is the so-called Plug&Play 
configuration, that wc shall describe in the next para- 
graph in the context of phase-coding. 

Before that, we have to mention that quantum me- 
chanics allows also for a coding that does not require any 
alignment b y exploiting th e so-ca l led "decoherence-free 
subspaces" ( Boileau et all |2004 IZanardi and Rasettil . 

However, though demonstrated in some 



r 



1199 

proof-of- principle experiments ( Bourennane et al\ , |2004 
IChen et M H006), such coding is highly impractical, as 
it requires the preparation and measurement of com- 
plex multi-photon states; moreover, it is very sensitive 
to losses 30 . 



30 The simplest example is the singlet state of two qubits: when 
both qubits are sent into the quantum channel, the state is ro- 
bust against any misalignment U since U (&U\ty~) = l^ - }- With 
four physical qubits, there are two orthogonal states such that 
U ® U <S> U ® U\ipo,l) = IV'O.l}; therefore, one can form an ef- 
fective logical qubit |0) = |^>o) and |1) = \ipi) that is insensitive 
to misalignments. The states |V , 0,l) are not easy to prepare and 
to detect. As a matter of fact, the available experiments did 
not produce those states: they produced a quite complex pho- 
tonic state, that gives the required statistics conditioned on the 
observation of a specific detection pattern. In turn, this implies 
that all four photons must be transmitted and detected, therefore 
losses lead to a very fast decrease of the detection rate. 
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2. Phase coding: two configurations 
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FIG. 3 Comparison of the one-way and two-way configura- 
tions for phase coding. The one-way configuration is called 
double Mach-Zehnder (top). Alice splits each laser pulse 
into two pulses with relative phase a; if Bob's phase is such 
that a — /3 = modulo ir, the outcome is deterministic 
in the absence of errors. In the two-way configuration, or 
Plug&Play (bottom), the source of light is on Bob's side. In 
detail: an intense laser pulse is sent through a circulator (C) 
into Bob's interferometer. The phase modulator is passive at 
this stage, but a polarization rotation (R) is implemented so 
that all the light finally couples in the fiber. On Alice's side, 
part of the light is deflected to a proportional detector (PD) 
that is used to monitor Trojan Horse attacks. The remaining 
light goes to a Faraday mirror (FM) that sends each polar- 
ization on the orthogonal one. On the way back, the pulses 
are attenuated down to the suitable level, then the coding is 
done as above. The role of the delay line (DL) is explained in 
the text. 

We consider P&M schemes with phase coding. This 
coding has been the preferential choice in fiber imple- 
mentations and has given rise to two possible configu- 
rations (Fig. [3]). In the configuration called one-way, 
the laser is on Alice's side; it is typicall y realized with 
a double Mach-Zehnder interferometer jBennettl , Il992t 
iTownsend. Rarity and Tapsterl . fl993K The other possi- 
ble c onfiguration has be e n called Plug&Play c onfigura- 
tion (jMuller et all Il997t iRibordv et ail Il998l) . As the 
name suggests, the goal of the Plug&Play configuration 
is to achieve self- alignment of the system. Contrary to 
the one-way configuration, the Plug&Play configuration 
puts the source of light on Bob's side: a strong laser 
pulse travels on the quantum channel from Bob to Alice. 
Alice attenuates this light to the suitable weak intensity 
(surely less than one photon per pulse in average, more 
precisions below and in Sec. IIV.B.4[) . codes the infor- 
mation and sends the remaining light back to Bob, who 
detects. The coded signal goes as usual from Alice to 
Bob; but the same photons have first traveled through 



the line going from Bob to Alice. This way, interferome- 
ters become self-stabilized because the light passes twice 
through them; if the reflection on Alice's side is done 
with a Faraday mirror, polarization effects in the channel 
are compensated as well. These two configurations have 
shaped the be ginning of practical QKD; we refer to ^pre- 
vious review (|Gisin. Ribordv. Tittel and Zbinderl l2002t ) 
for a thorough discussion. 

It is useful here to address some problems that are 
specific for the Plug&Play configuration, since they il- 
lustrate the subtleties of practical QKD. The system has 
an intrinsic duty cycle, which limits the rate at long dis- 
tances: Bob must wait a go-and-return cycle before send- 
ing other strong signals, otherwise the weak signal coded 
by Alice will be overwhelmed by the backscattered pho- 
tons of the new strong ones 31 . The nuisance has been 
reduced by having Bob send, not just one pulse, but a 
train of pulses; on Alice's side, a sufficiently long delay 
line must be added: all the pulses must have passed the 
phase modulator before the first one comes back and is 
coded. Still, this duty cycle is a serious bottleneck com- 
pared to one-way configurations. 

Also, two specific security concerns arise for the 
Plug&Play configuration. First concern: in full general- 
ity, there is no reason to assume that Eve interacts only 
with the signal going from Alice to Bob: she might as 
well modify the signal going from Bob to Alice. A sim- 
ple argument suggests that this is not helpful for Eve: 
Alice attenuates the light strongly and should actively 
randomize the global phase; then, whatever the state 
of the incoming light, the outgoing coded light consists 
of weak signals w ith almost exact Poissonian statistics 
(|Gisin et alll200fih . Indeed, the rigorous analysis shows 
that unconditional security can be proved if the global 
phase is actively randomize, and that the resulting se- 
cret fractions are only slightly lo wer than those achievabl e 
with the one-way configuration (|Zhao. Qi and Lol . 120081 ). 
Second concern: since Alice's box must allow two-way 
transit of light, Trojan Horse attacks (see IIII.B .4|) must 
be monitored actively, whereas in one-way setups they 
can be avoided by passive optical isolators. In practice, 
this may decrease the limiting distance 32 . 



As a matter of fact, the back-scattering and the corresponding 
duty cycle could be avoided, but at the price of attenuating the 
pulses already at Bob's side. In turn, this implies that (i) a 
different channel should be used for synchronization, and (ii) the 
maximal operating distance is reduced in practice, especially if 
one takes Trojan Horse attack s into account, see below . Such a 
setup has been demonstrated (Bcthunc and Risk, 2000). 
The argument goes as follows: upon receiving Bob's pulse, Alice 
attenuates it down to the desired intensity fi. Now, it turns out 
that a simple error by a factor of 2, i.e. sending out 2fi instead 
of fi, would spoil all security fsec HV.B.4t . This implies that the 
intensity of the input pulse must be monitored to a precision far 
better than this factor 2. This precision may be hard to achieve 
at long distances, when Bob's pulse has already been significantly 
attenuated by transmission. 
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It is not obvious what the future perspectives of the 
Plug&Play configuration will be: recently, stabilized one- 
way configurations have been demonstrated, which can 
also reach optical visibilities la rger than 99% and have 
a less constraining duty cycle ( Gobbv, Yuan and Shields! . 
2004). Still, the Plug&Play configuration is an impor- 
tant milestone of practical QKD: in particular, the first 
commercial QKD systems are based on it 33 . 



III. SECRET KEY RATE 



We have seen in Sec. III. B. 41 that the secret key rate 
K is the product of two terms ©, the raw key rate R 
and the secret fraction r. This section is devoted to a 
detailed study of these two factors. Clearly, the latter is 
by far the more complex one, and most security studies 
are devoted only to it; however the raw key rate is crucial 
as well in practice and its proper description involves 
some subtleties as well. We will therefore start from this 
description. 



A. Raw key rate 



The raw key rate reads 



R = vs Prob(Bob accepts) 



(18) 



The second factor depends both on the protocol and on 
the hardware (losses, detectors) and will be studied for 
each specific case. The factor i/$ is the repetition rate. 

In the case of pulsed sources v$ is the repetition rate of 
the source of pulses. Of course, v$ < v™ ax , the maximal 
repetition rate allowed by the source itself; but two other 
limitations may become important in limiting cases, so 
that the correct expression reads 
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(19) 



We explain now what the two last terms mean. 

The first limitation is due to the dead-time of the de- 
tectors Td- In fact, it is useless to send more light than 
can actually be detected (worse, an excess of light may 
even give an advantage to Eve). One can require that 
at most one photon is detected in an interval of time Td', 
the detection probability is Prob(Bob detects) ~ uttsT) 
with fi — (n) < 1 the average number of photons pro- 
duced by the source, t the transmittivity of the quantum 
channel, ts the losses in Bob's device and r\ the efficiency 
of the detector. Therefore, vg % (jd fittst])' 1 . It is clear 
that this limitation plays a role only at short distances: 



as soon as there are enough losses in the channel, fewer 
photon will arrive to Bob than can actually be detected. 

The second limitation is associated to the existence of 
a duty cycle: two pulses cannot be sent at a time interval 
smaller than a time Td c determined by the setup. The 
expression for Td c depends on the details of the setup. In 
Plug&Play configurations for instance, one cannot send 
the next train of bright pulses before the weak signal of 
the earlier train has come back pi.H.2|) : the effect be- 
comes important at long distance. Another example of a 
duty cycle is the one introduced by a stabilization scheme 
for one-way configurations, in which e ach coded signal is 
prece ded by a strong reference signal ( Yuan and Shields! 
|2005| ). Note finally that in any implementation with 
time-bin coding, the advanced component of the next 
signal must not overlap with the delayed component of 
the previous one. 

In the case of heralded photon sources or 
entanglement-based schemes working in a continuous- 
wave (cw) regime it is reasonable to define vg as an 
average rate of Alice's detections, thus 34 
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Here r\A^A^ is the trigger rate, with which Alice an- 
nounces the pair creations to Bob, with // being the 
pair-generation rate of the source, tA is the overall trans- 
mittance of Alice's part of the apparatus, and t\a is the 
efficiency of Alice's detectors. Of course, in practice this 
rate is limited by the dead time of Alice's detectors rf . 
The whole repetition rate is limited by Bob's detector 
dead time Td and by the width of coincidence window At 
(usually At <C Td). 



B. Secret fraction 

1. Classical information post-processing 

To extract a short secret key from the raw key, clas- 
sical post-processing is required. This is the ob j ect of 
this paragraph, fo r more details see e.g. (jRennerl . liool 



tnis paragrapn, tor more 

IVan Asschd . l2006ft . The security bounds for the secret 
fraction crucially depend on how this step is performed. 



a. One-way post-processing. These are the most studied 
and best known procedures. One of the partners, the one 
who is chosen to hold the reference raw key, sends classi- 
cal information through the public channel to the other 
one, who acts according to the established procedure on 



33 The configuration has been used also f or continuous- variable cod- 
ing {Lcgre, Zbindenand_Gisir ,12006), for a distributed- phase- 
reference protocol jZhou et aU l2003fl and for no n-cryptographic 
quantum information tasks jBrainis etoH I2003T) . 



34 The source is assumed to be safe at Alice's side. It is supposed 
that Alice's detectors are still "open" (not gated). Dark counts 
and multi-pair contributions were neglected in the estimation of 
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his data but never gives a feedback. If the sender in this 
procedure is the same as the sender of the quantum states 
(Alice with our convention), one speaks of direct recon- 
ciliation; in the other case, of reverse reconciliation. The 
optimal one-way post-processing has been characterized 
and consists of two steps. 

The first step is error correction (EC), also called in- 
formation reconciliation, at the end of which the lists of 
symbols of Alice and Bob have become shorter but per- 
fectly correlated. As proved by Shannon, the fraction of 
perfectly correlated symbols that can be extracted from 
a list of partially correlated symbols is bounded by the 
mutual information I (A : B) = H(A) + H(B) - H(AB) 
where H is the entropy of the probability distribution. 
In the context of one-way procedures with a sender S 
and a receiver R, it is natural to write I(A : B) in the 
apparently asymmetric form H(S) — H(S\R). This for- 
mula has an intuitive interpretation, if one remembers 
that the entropy is a measure of uncertainty: the sender 
must reveal an amount of information at least as large 
as the uncertainty the receiver has on the reference raw 
key. 

The second step is privacy amplification (PA). This 
procedure is aimed at destroying Eve's knowledge on the 
reference raw key. Of course, Alice and Bob will have 
chosen as a reference raw key the one on which Eve has 
the smallest information: here is where the choice be- 
tween direct and reverse reconciliation becomes meaning- 
ful 35 . The fraction to be further removed can therefore 
be written min (Iea, Ieb), where Ig. is Eve's informa- 
tion on the raw key of Alice or Bob, that will be defined 
more precisely in the next paragrap h IIII.B.2| PA wa s 
first mentioned in ( Bennett. Brassard and RobertJ .fl988). 



then established in ( Bennett et al\ , 1995h . This reference 
has been considered as valid for one decade but, after 
the notion of universally composable security was intro- 
duced (s ee III. C. 21). it had to be rep laced by a generalized 
version cnncr and Konid . 120051 ). At the moment of 
writing, the only PA procedure that works in a provable 
way is the one based on two- universal hash functions 36 . 



35 Note that, I(A : B) being symmetric, there is no difference be- 
tween direct and reverse reconciliation at the level of EC, as 
expected from the nature of the task. 

36 A set T of functions / : X — » Z is called two-universal if 
Pr[/(x) = f(x')] < j^j for x ^ x' and / chosen at random 
with uniform probability. It is instructive to see why this defi- 
nition is meaningful for privacy amplification. After EC, Alice 
and Bob share the same list of bits x\ Eve has an estimate x' of 
this list. For PA, Alice chooses / from the two-universal set and 
announces it publicly to Bob. Both Alice and Bob end up with 
the shorter key z = f(x); but the probability that Eve's estimate 
z' = f(x') coincides with z is roughly 1/\Z\: Eve might as well 
choose randomly out of the set Z of possible final keys. 
Two-universal hash-functions, e.g. in the form of matrix multi- 
plica t ion, can be implemented ef ficiently (Carter and W egmanl , 
1 19791: IWeeman and Carted. Il98ll) . The size of the matrices is 
proportional to the length N of the raw key. Against a classi- 
cal adversary, other extractors exist whose size grows only like 



Also, for composability, the protocol must be symmetric 
under permutations: in particular, the pairs for the pa- 
rameter estimation must be chosen at random, and the 
hash function has to be symmetric (as it is usually). 

In summary, the expression for the secret fraction ex- 
tractable using one-way classical post-processing reads 



I (A : B) -mia (Iea, Ieb) 



(21) 



b. Remarks on practical EC. As mentioned above, the 
performance of EC codes is bounded by Shannon's mu- 
tual information. Practical EC codes however do not 
reach up to the Shannon bound. For a priori theoretical 
estimates, it is fair to increase the number of bits to be 
removed by 10-20% ; more precise estimates are available 
(|Liitkenhausl . 119991 ) but ultimately the performance must 
be evaluated on each code. We shall take this correction 
explicitly into account in Sections IIVIIVIII 

In addition, most of the efficient EC codes that are ac- 
tually implemented, e.g. Cascade ([Brassard and Salvaill . 
119941) . use two-way communication. To fit these two-way 
EC codes in the framework of one-way post-processing, 
one can give the position of the errors to Eve and treat all 
comm unication as one-way communication ( Lutkenhaud . 
Il999l ). Alternatively, o ne can use encrypt ion of the EC 
data, as s uggested in (| Lutkenhaud . Il999l ) and formally 
proved in (|Lol 120031 ). 

Note finally that it is not necessary to estimate the 
error rate with a small sample of the data: instead, the 
parties learn naturally the precise number of errors dur- 
ing the EC procedure. 



c. Other forms of post-processing. Bounds can be im- 
proved by two-way post-processing, one refers to any pos- 
sible procedure in which both partners are allowed to 
send i n formation. Since its first a ppearance in QKD 
(IChaul . l2002t iGisin and Wonl Il999l : iGottesman and Lol . 
|2003[ ). this possibility has been the object of several stud- 
ies 37 . Contrary to the one-way case, the optimal proce- 
dure is still not known, basically because of the complex- 
ity of taking feedback into account. 

More recently, a further trick to improve bounds was 
found, called pre-processing: before post-processing, the 
sender (for one-way) or both partners (for two-way) can 
add locally some randomness to their data. Of course, 



log TV; but at the moment of writing, it is not known whether 
a similar construction exists i n the case where the adversary is 
quantum (Konig and Renncr, 2007). 

We note that some of the security cl aims in the first pa - 
per dealing with advantage distillation (|Gisin and W olf. 1999) 
were imprecise. These works have also had an intriguing off- 
sprin g, the conjecture of the existence of "bound information" 
(Gisin and Wolf, 200 0]), later p r oved for three-partite distribu- 
tions jAcin, Cir ac and Masancs, 200j|). 
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this decreases the correlations between them, but it de- 
creases Eve's information as well, and remarkably the 
overa ll effect may be positive ( Kraus. Gisin and Rennerl . 
120051: iRenner. Gisin and Krausl \200§ i~ 

Both pre-processing and two-way post-processing are 
easy to implement and allow extracting a secret key 
in a parameter region where one-way post-processing 
would fail; in particular, the critical tolerable error rate 
is pushed much higher 38 . To our knowledge though, 
they have been implemented only once in real systems 
( Ma et al\ . 12006t h The reason is that, in terms of se- 
cret key rate, an improvement can be appreciated only 
when the dark counts become dominant 39 , a regime 
in which few systems tend to operate — see however 
(iRosenberg et al .L l2009HTanaka et al ]. l2008tlYuan et all 
120081 ). Therefore, in what follows, we shall present only 
bounds for one-way classical post-processing without pre- 
processing. 



2. Individual, Collective and Coherent Attacks 



As stressed from the beginning (jll.C.ip . one aims ul- 
timately at proving unconditional security, i.e. security 
bounds in the case where Eve's attack on the quantum 
channel is not restricted. Such a lower bound for security 
has been elusive for many years A[) : it has nowadays 
been proved for many protocols, but is still missing for 
others. In order to provide an ordered view of the past, 
as well as to keep ideas that may also be useful in the 
future, we discuss now several levels of security. 



a. Individual (or incoherent) attacks. This family de- 
scribes the most constrained attacks that have been stud- 
ied. They are characterized by the following properties: 

(II) Eve attacks each of the systems flying from Alice to 
Bob independently from all the other, and using the 



same strategy . This property is easily formalized 
in the EB scheme: the state of n symbols for Alice 
and Bob has the form = (pab)®™- 

(12) Eve must measure her ancillae before the classical 
post-processing. This means that, at the beginning 
of the classical post-processing, Alice, Bob and Eve 
share a product probability distribution of classical 
symbols. 

In this case, the security bound for one-way post- 
processing is the Csiszdr-Korner bound, given by (121 
with 



I AX 



max I (A : E) 

Eve 



(individual attacks) (22) 



and of course similarly for I be ( Csiszar and Kornerl 
I1978D . Here, I (A : E) is the mutual infor- 
mation between the classical symbols; the notation 
maxEve recalls that one must maximize this mutual 
information over Eve's strategies. There is actu- 
ally an ambiguity in the literature, about the mo- 
ment where Eve is forced to perform her measure- 
ment: namely, whether she is forced to measure im- 
medi a tely after the interaction |Bechmann-Pasauinucc 
120061 ; ICurtv and Liitkenhaud . 120051: iLiitkenhausl Il99 ~ 
or whether she can keep the signals in a quantum 
memory until the end of the sifting and error cor- 
rection phase ( Bechmann-Pasauinucci and Gisinl . 1996; 



i Brassard efol\. l2000t iBrufj. Il998t ICerf et all 12002 : 



Fuchs et al. . 19971: Herbauts et all 120081 : iLutkenhaus 



19991 : ISlutskv et all Il998l ). The first case is associated 



to the hardware assumption that Eve is restricted not to 
have a quantum memory 41 . The second case is associ- 
ated to the hardware assumption that Eve cannot per- 
form arbitrary coherent measurements and can be useful 
as a step on the way to unconditional security proofs. 
However, we stress that the bound for collective attacks 
can nowadays be calculated more easily and gives more 
powerful results 42 . 



The order of magnitude of the improvements is roughly the same 
for all examples that have been studied. Consider e.g. BB84 
in a single-photon implementation, and security against the 
most general attacks: the critical QBER for one-way post- 
proce ssing without pre-processing is 11% llShor and Preskilll 
l2000h: bitwise pre-processing b rings this value up to 12.4% 
llKraus. Gisin a nd Rennerl. |20 05|). more c omple x pre-processing 
up to 12.9% l|Smith. Renes and Smolinl [2008); two-way post- 
processing can increase it significantly further, at least up to 
20.0%, but at the expenses of drastically reduced key rate 
llBae and Aci'nl. |2007|; fChaul, 120021 ; iGottesman and Lctl2003t) . In 
weak coherent pulses implementations, pre-processing increases 
the critical distance of BB84 and of SARG 04 by a few kilome ters, 
both for security agai nst individual llBran ciard et all, 120051) and 
most general attacks (Kraus, Branciard and Rcnncr, 2007). 
Recall that optical error is routinely kept far below 5%; therefore, 
the total error rate exceeds ~ 10% when the error is largely due 
to the dark counts. 



We note here that this "same strategy" may be probabilistic 
(with probability pi, Eve does something; with probability p2, 
something else; etc), provided the probabilities are fixed during 
the whole key exchange. Strange as it may seem from the stand- 
point of practical QKD, an attack, in which Eve would simply 
stop attacking for a while, belongs to the family of the most 
general attac ks! 

Generalizing (Wang, 2001), it is conjectured that individual at- 
tacks should be optimal under the weaker assumption of a quan- 
tum memory that would be bounded, either in capacity or in 
lifetime; but only rougher bounds have been deriv ed so far 
dDamgaard et all. |2005| . |2007| ; iKonig and Terhall I2OO8T) . 
At the moment of writing, there is still something that is known 
only for individual attacks, and this is Eve's full strategy; the op- 
timal procedur es been found both for the scenar io without quan- 
tum memory llLutkenhausI , Il996l) and with it llHerbauts et ali . 
2008; Lutkcnhausl. Il999f ). On the contrary, the bound for collec- 
tive and coherent attacks is computed by optimizing the Holevo 
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An important sub-family of individual attacks are the 
intercept-resend (IR) attacks. As the name indicates, Eve 
intercepts the quantum signal flying from Alice to Bob, 
performs a measurement on it, and conditioned on the re- 
sult she obtains she prepares a new quantum signal that 
she sends to Bob. If performed identically on all items, 
this is an individual attack. Moreover, it obviously real- 
izes an entanglement-breaking channel between Alice and 
Bob, thus providing an ea sily computed upper bound on 
the security of a protocol (iBechmann-Pasauinuccil [20061 : 
ICurtv and Lutkenhausl 120051) . 



b. Collective attacks. This notion was first proposed by 
Biham, Mor and coworkers, who proved the security of 
BB84 against them and conjectured tha t the same bound 
would hold for the most g eneral attacks ( Biham and Mori . 
119971: iBiham" et al. , 2002). Collective attacks arc defined 
as follows: 



(CI) The same as (II). 

(C2) Eve can keep her ancillae in a quantum memory 
until the end of the classical post-processing, and 
more generally until any later time convenient to 
her (for instance: if the key is used to encode a 
message, part of which is vulnerable to plaintext 
attack, Eve may delay her measurement until she 
obtains the information coming from this attack). 
She can then perform the best measurement com- 
patible with what she knows. In general, this will 
be a collective measurement. 

Only (CI) is an assumption on Eve's power. The 
generic bound for the secret key fraction achievable us- 
ing one-way post-processing (Devetak- Winter bound) is 
given by (|2"Tj) with 



Iae = m&xx(A : E) 

Eve 



(collective attacks) (23) 



and I b e defined in the analog way ( Devetak and Winter! . 
I2005D. Here, \(A : E) is the so-called Holevo quantity 
(|Holevol . Il973h 



C (A:E) = S( PE )-J2p( a ) S (PE\a) 



(24) 



where S is von Neumann entropy, a is a symbol of 
Alice's classical alphabet distributed with probability 
p(a), pE\ a is the corresponding state of Eve's ancilla and 
Pe = ^2 a P( a )PE\a is Eve's partial state. The Holevo 
quantity bounds the capacity of a channel, in which a 



classical value (here a) is encoded into a family of quan- 
tum states (here, the Pe\o)'- m this sense, it is the natural 
generalization of the mutual information. 

As mentioned, it is actually easier to compute |23|) 
than (j22|) . The reason lies in the optimization of Eve's 
strategy. In fact, the Holevo quantity depends only on 
Eve's states PE\m that is, on the unitary operation with 
which she couples her ancilla to the system flying to Bob. 
In contrast to that, the mutual information depends both 
on Eve's states and on the best measurement that Eve 
can perform to discriminate them, which can be con- 
structed only for very specific examples of the set of states 
(|Helstroml . [l976T) . 



c. General (or coherent) attacks. Eve's most general strat- 
egy includes so many possible variations (she may entan- 
gle several systems flying from Alice to Bob, she may 
modify her attack according to the result of an inter- 
mediate measurement...) that it cannot be efficiently 
parametrized. A brute force optimization is therefore 
impossible. Nevertheless, as mentioned several times al- 
ready, bounds for unconditional security have been found 
in many cases. In all these cases, it turns out the bound is 
the same as for collective attacks. This remarkable result 
calls for several comments. 

First remark: this result has an intuitive justification. 
If the state \^(S n )) that codes the sequence S n has the 
tensor product form \tjj(si))(^ ...(^\tp(s n )) , then the states 
flying from Alice to Bob are uncorrelated in the quantum 
channel; therefore Eve does not seem to have any advan- 
tage in introducing artificial correlations at this point 43 . 
However, correlations do appear later, during the clas- 
sical post-processing of the raw key; such that in fact, 
the final key is determined by the relations between the 
symbols of the raw key, rather than by those symbols 
themselves. Thus, Eve must not try and guess the value 
of each symbol of the raw key, but rather some relation 
between them — and this is typically a situation in which 
entanglement is powerful. This vision also clarifies why 
unconditional security is still elusive for those protocols, 
for which 1^(5^)) is not of the tensor product form (see 

mm- 

Second remark: for BB84, six-state and other pro- 
tocols, assuming the squashing property of detec- 
tors (see IIV.A.2I) . thi s result is a consequence of 
the internal symmetries (iKraus. Gisin and Rennerl 120051 : 
iRenner. Gisin and Krausl . 12005! ) . The explicit calcula- 
tions are given in Appendix [AJ In a more general frame- 
work, the same conclusion can be reached by invokin g 
the exponential De Finetti theorem (jRennerl . I2005L 120071 ) . 
This theorem says that, after some suitable symmetriza- 



bound over all possible interactions between the signal and Eve's 
ancillae (see below): one implicitly assumes that suitable mea- 
surements and data processing exist, which will allow Eve to ex- 43 Of course, one is not saying that Eve does fulfill (II): Eve can 
tract that amount of information. It would be surely interesting do whatever she wants; but there exist an attack that fulfills (II) 

to exhibit explicit procedures also for more general attacks. and that performs as well as the best possible attack. 
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tion, the statistics of the raw key are never significantly 
different from those that would be obtained under con- 
straint (II). This is a very powerful result, but again 
does not solve all the issues: for instance, because the ac- 
tual exponential bound depends on the dimension of the 
Hilbert space of the quantum signals, it cannot be ap- 
plied to continuous-variable QKD (see however the Note 
added in proof at the end of this paper) . Also recall that 
we consider only the asymptotic bound: the finite-key 
bounds obtained by invoking the De Finetti theorem are 
over-pessimistic ( Scarani and Renneil 120081 ). 



3. Quantum side channels and zero-error attacks 

The possibility of zero-error attacks seems to be at 
odds with the fundamental tenet of QKD, namely that 
Eve must introduce modifications in the state as soon 
as she obtains some information. However, there is no 
contradiction: for instance, in the presence of losses the 
quantum signal is also changed between the source and 
the receiver. Even if in most protocols (see discussion in 
Sec. II.B.3|) losses do not lead to errors in the raw key, 
some information about the value of the coded symbol 
may have leaked to Eve. 

Losses are the most universal example of leakage of in- 
formation in a quantum side-channel, i.e. in some degree 
of freedom other than the one which is monitored. We 
stress that the existence of side-channels does not com- 
promise the security, provided the corresponding attacks 
are taken into account in the privacy amplification. 

The beam- splitting (BS) attack translates the fact that 
all the light that is lost in the channel must be given to 
Eve: specifically, Eve could be simulating the losses by 
putting a beam-splitter just outside Alice's laboratory, 
and then forwarding the remaining photons to Bob on a 
lossless line. The BS attack does not modify the optical 
mode that Bob receives: it is therefore always possible 
for lossy channels and does not introduce any error 44 . 
For an explicit computation of BS attacks, see I VLB] 

When the signal can consist of more than one pho- 
ton, Eve can count the number of photons in each sig- 
nal and act differently according to the result n of this 
measurement. Such att acks are called photon-number 
splitt i ng (PNS) attacks dBennettl. 1992t Brassard et al. , 



2000 ; lDusek. Haderka and Hendrvchl . Il999t Liitkenhaus 
2000T ) and can be much more powerful than the BS 
attack. They were discovered as zero-error attacks 
against BB84 implemented with weak laser pulses; in 
the typical parameter regime of QKD, even the Pois- 
sonian photon number distrib ution can be preserved 
( Liitkenhaus and Jahmal . I2002T ) . so that the PNS attack 



cannot be detected even in principle as long as one known 
signal intensity is used. To use different intensities in or- 
der to detect P NS atta c ks is t he idea behind the decoy 
states metho d (jHwanel . 120031: lLo. Ma and Chenl . 120051: 
IWand . 120051 ). Also the distribu ted-phase-reference pro- 
tocols detect the P NS attacks ( Inoue and Honid . 120051: 
IStucki et a/.l . l2005h . 

Finally, we mention the possibility of attacks based 
on unambiguous state discrimination (USD) followed 
by re send of a signal ( Dusek. Jahma and Liitkenhaud . 
l2000l). These can be part of a PNS attack 



( Scarani. Acin. Ribordv and Gisirl I2004T) or define an 
attac k of its own ( Branciard et all l2007t ICurtv et ali , 
l2007f ): they are clearly zero-error attacks and modify the 
photon-number statistics in general. 

Of course, a quantum side-channel may hide in any im- 
perfect component of the device (e.g., a polarizer which 
would also distort the wave function according to the 
chosen polarization). The list of the possibilities is un- 
bounded, whence the need for careful testing 45 . 



4. Hacking on Practical QKD 

In practical QKD, the security concerns are not limited 
to the computation of security bounds for Eve's action on 
the quantum channel. Any specific implementation must 
be checked against hacking attacks and classical leakage 
of information. 

Hacking attacks are related to the weaknesses of an 
implementation. A first common feature of hacking at- 
tacks is that they are feasible, or almost feasible, with 
present-day technology. The best-known example is the 
family of Trojan Horse Attacks, in which Eve probes 
the settings of Alice's and/or Bob's devices by send- 
ing so me light into them and collect i ng th e reflected 
signal (|Vakhitov. Makarov and Hielmd . 120011 ) . Actually, 
the first kind of hacking attack that was considered is 
a form of Trojan Horse that would come for free: it 
was in fact noticed that some photon counters (silicon- 
based avalanche photo-diodes) emit so me light at various 
wave lengths when they detect a photon ( Kurtsiefer et all 
120011) . If this light carries some information about which 
detector has fired, it must be prevented to propagate out, 
where Eve could detect it. On these two examples, one 
sees also the second common feature of all hacking at- 
tacks, namely, that once they have been noticed, they 
can be countered by adding some component. In all se- 
tups where light goes only one way (out of Alice's lab 
and into Bob's lab), the solution against Trojan Horse 
attacks consists in simply putting an optical isolator; in 
implementations where light must go both ways (typi- 



For some sources, this attack simply does not give Eve any in- 
formation: for a perfect single-photon source, if the photon goes 
to Eve, nothing goes to Bob, and viceversa. 



Some very specific protocols and the corresponding secu- 
rity proofs can be made robust against such imperfections 
lAcfn et al.l , l2007r) . 



20 



cally, the Plug & Play setups), the s olution is provide d 
by an additional monitoring detector ( Gisin et"all . l2006l) . 

Apart from Trojan Horses, other hacking attacks 
have been invented to exploit potential weaknesses 
of sp ecific implementations, e.g. faked sta t e at- 
tacks (iMakarov and Hielmel . 1200a iMakarov et all l2006t 



IMakarov and Skaai , 20081 ). phase-rem apping attacks 



( Fung et al . 2007). tim e-shift attacks (|Qi. Fung et all 



2007; IZhao et all 120081 ). It has also been noticed that 



a too precise timing disclosed in the Alice-Bob synchro- 
nization protocol may di sclose information about which 
detec tor actually fired ( Lamas-Linares and Kurtsieferl . 
120071) . 



5. A crutch: the "uncalibrated-device scenario" 

As stressed, all the errors and losses in the quantum 
channel must be attributed to Eve's intervention. But 
in a real experiment, there are errors and losses also in- 
side the devices of the authorized partners. In particu- 
lar, the detectors have finite efficiency (losses) and dark 
counts (errors) ; these values are known to the authorized 
partners, through calibration of their devices. A security 
proof should take this fact into account. 

The task of integrating this knowledge into security 
proofs, however, has proved harder than one might think. 
In general, the naive approach, consisting in taking an 
attack and removing the device imperfections from the 
parameters used in privacy amplification, gives only an 
upper bound, even at the level of individual attacks 46 . In 
particular, unconditional security proofs, whenever avail- 
able, have been provided only under the assumption that 
all the losses and all the errors are attributed to Eve and 
must therefore be taken into account in privacy amplifica- 
tion. We refer to this assumption as to the uncalibrated- 
device scenario, because it all happens as if Alice and 
Bob would have no means of distinguishing the losses and 



46 Consider a PNS attack l|III.B.3| l on BB84 implemented with weak 
coherent pulses, and focus on the pulses for which Eve has found 
n = 2 photons. The obvious PNS attack consists in Eve keeping 
one photon in a quantum memory and sending the other one to 
Bob, because in this case she obtains full information and in- 
troduces no error. But there is no information on non-detected 
photons: in particular, if Eve cannot control the losses in Bob's 
apparatus tg and the detector efficiency rj, her information rate 
on such events will be 72^1+1 = tBV- Now, consider another 
strategy: Eve applies a quantum doner 2^3, keeps one pho- 
ton and sends the other two to Bob. Since no perfect cloning 
is possible, this introduces an error £2 on Bob's side and Eve's 
information on each detected bit is / (£2) < 1. But Eve's informa- 
tion rate is ^"2^2+1 = [1 — (1 — tBV) 2 ]H £ 2) ~ 2tgr]I(c2) and can 
therefore become larger than J2— The full analysis must be 
done carefully, taking into account the observed total error rate; 
in the family of individual attacks, the cloning strategy performs 
indeed better than the "obvious" one for typical values of tgri 
(Curty and Liitkenhaus, 2004; Niedcrbcrger, Scarani and Gisin, 
2005). Note that there is no claim of optimality in this example: 
another attack may be found that performs still better. 



errors of their devices from those originating in the chan- 
nel 47 . These issues have been raised in a non-uniform 
way in the literature. Most of the discussions have taken 
place for discrete-variable protocols; the security stud- 
ies of distributed-phase-reference protocols are in a too 
early stage, but will surely have to address the question. 
The case of CV QKD may prove different because of the 
difference in the detection process (homodyne detection 
instead of photon counting) . 

At the moment of writing, the uncalibrated-device sce- 
nario is still a necessary condition to derive lower bounds. 
In the following sections, we shall work with this scenario. 
In IIV.CI and IVII.B.21 we shall compare the best available 
lower bounds with the upper bounds obtained with a 
naive approach to calibrated devices: we shall show (for 
the first time explicitly, to our knowledge) that in some 
cases the two bounds coincide for every practical pur- 
pose. In lVIII.A.2[ we summarize the status of this open 
problem. 



IV. DISCRETE-VARIABLE PROTOCOLS 
A. Generic Assumptions and Tools 



As argued in Sec. IIII.B.51 in order to present lower 
bounds as they are available today, we work systemati- 
cally in the uncalibrated-device scenario; paragraph llV.CI 
will present how to derive an upper bound for calibrated 
devices. 



1. Photon-number statistics 

We suppose that each signal is represented by a diago- 
nal state in the photon-number basis, or in other words, 
that there is no phase reference available and no coher- 
ence between successive signals 48 . Thus, Alice's source 
can be described as sending out a pulse that contains n 
photons with probability pa(ti); Eve can learn n without 
modifying the state, so this step is indeed part of the 
optimal collective attack (Eve may always choose not to 
take advantage of this information). 

The statistical parameters that describe a key ex- 
change are basically detection rates and error rates 49 . 



47 The name "uncalibrated-device scenario" is proposed here for the 
first time. In the literature, the assumption used to be named 
"untrusted-device scenario" ; but this name is clearly inadequate 
(see III. C. II for the elements that must be always trusted in a 
QKD setup, and IVIII.A.3l for those may not be trusted in some 
very specific protocols). 

48 In some cases like Plug&Play implementations, the random- 
ization of the phase should in principle be ensured actively 
<Gisin et aUteOOfl; IZhao, Qi and Lcll200Sl) . 

49 We assume that these parameters are independent of Bob's mea- 
surements, either because they are really measured to be the 
same for all bases (a reasonable case in practice), or because, af- 
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Here are the main notations: 



• R: total detection rate; 



• R n : detection rate for the events when Alice sent 
n photons (%2 n R n = R); 

• Y n = R n / R a convenient notation (Y] n Y n = 1); 

• R™: wrong counts among the R n ; 



R™ I R n the error rate on the n photon signals; 



• Q = J2 n Y n £ n the total error rate (QBER). 

Concerning photon statistics on Bob's side, it is impor- 
tant to notice the following. If the channel introduces 
random losses, the photons that enter Bob's device are 
distributed according to Ps{k) = J2n>kP^( n ) C„£ (1 — 

is the binomial factor; one 



where C* = ^ 
could compute R n from this value and the details of 
the protocol. However, Eve can adapt her strategy to 
the value of n, so the photon- number statistics ps(fc) 
on Bob's side may be comple tely different from pjj(fc) 
(jLiitkenhaus and Jahmal[2002f ). 



2. Qubits and Modes 

Many, though not all, security proofs can be obtained 
by finding qubit protocols in the optical implementations 
that work with optical modes. 



a. Sources: Tagging. On the source side, this can be 
done by 'tagging', by assuming that all multi- photon sig- 
nals (with respect to the total signal) becoming fully 
known to an eavesdropper. This leaves us effectively 
with qubits, using the single photons and the coding 
degree of freedom, for example polarization or rela- 
tive phas e between two modes. This meth o d has been 
used in (llnamori. Lutkenhaus and MaversL 12001-20071 
iLutkenhau s. 2000) , but the term tagging has been intro- 
duced only in ( Gottesman. Lo. Lutkenhaus and Preskilll 
I2004D . Note that security proofs can be done without 
this assumptions, e.g. in the case of the SARG protocol. 



b. Detectors: Squashing. Detectors act on optical modes, 
and typically threshold detectors are used that cannot rc- 
solve the incoming photon number . Some security proofs 
(iKoashil . [20061 : iMaversL fl996L l200lh can directly deal with 
this situation. In other security proofs one has either to 
search through all possible photon number of arriving 
signals to prove that it is Eve's optimal strategy to send 



preferentially single photons to Bob ( Lutkenhaus! . Il999t) . 
It was there realized that double clicks in detection de- 
vices, resulting from multi-photon signals or dark counts, 
cannot be simply ignored, as a secur ity loophole would 
open up. 50 As a countermeasure, in ( Liitkenhausl . 1 19991 
I2000D it was introduced to assign double clicks at random 
to the values corresponding to single click events. 

The concept of squashing, originally in- 
troduced in a co n tinuou s variable context 
(iGottesman and Preskiil |200ll). ras been coined in 
( Gottesman. Lo. Lutkenhaus and Preskilll . 12004 ) . where 
it is assumed that the detection device can be described 
by a two-step process: in a first step, the optical signal 
is mapped (squashed) into a single photon (qubit), 
and then the ideal measurement in the qubit descrip- 
tion is performed. Only recently, it has been shown 
that a squ ashing model actually exists for th e BB84 
protocol dBeaudrv. Moroder and Liitkenhausl . l2008t 
iTsurumaru and Tamakil l2008h with the given assign- 
ment of doub le clicks to random single detector clicks . 
Actually, in ( Beaudrv. Moroder and Liitkenhausl 120081 ). 
a framework has been developed to find squashing maps 
for different detector set-ups, including the implemen- 
tation of passive basis choice in the BB84 protocols via 
a beamsplitter. Note that the existence of a squashing 
model should not be taken for granted, as for example 
the six-state protocol does not admit a squashing model. 
However, a six-state protocol measurement with a 
passive basis choice via a linear optics array admits a 
squashing model for su itable assignment of multi-clicks. 
(|Beaudrv et aUl2008bl) . 

Note again that it is not necessary to find a squash- 
ing model to prove security, but it is certainly an ele- 
gant short cut, as now the combination of tagging in the 
source and squashing in the detector allows to reduce the 
security analysis of QKD to qubit protocols. For the re- 
mainder of this review, however, we adopt the squashing 
model view. 



3. Secret key rate 

The bound for the secret fraction is (j2Tj) . In the case 
of the protocols under study, H(A) — H(B) = 1 and 
H(A\B) = H{B\A) = h(Q), where h is binary entropy 
and Q is the QBER. Therefore I (A : B) = 1 - h{Q). 
However, we want to provide formulas that take impor- 



ter the sifting procedure, Alice and Bob forget from which mea- 
surement each bit was derived and work with average values. 



50 A simple attack exploiting this loophole goes as follows: Eve per- 
forms an intercept/resend attack and resend a pulse containing 
a large number of photons in the detected polarization. If Bob 
measures in the same basis as Eve, he will receive a single detec- 
tor click, about which Eve has full information. If Bob measures 
in a different basis, he will receive almost always double clicks, 
which he would discard. Therefore Eve has perfect information 
about all signals retained by Eve, allowing her to break the QKD 
scheme. 
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feet error correction into account. Therefore we shall use 



K = R[l-\eak EC (Q)- Ie] 



(25) 



with leakEciQ) > h(Q) an d Ie = m i n (Iae, Ibe)- Let 
us study this last term. Eve gains information only on the 
non-empty pulses, and provided Bob detects the photon 
she has forwarded. Since, due to the squashing model, 
the exponential De Finetti theorem applies to discrete- 
variable protocols (see discussion in Sec. IIII.B.2j) . and 
since the optimal collective attack includes the measure- 
ment of the number of photons, the generic structure for 
the Eve's information reads 51 



Ie = max 

Eve 



E.n 



(26) 



where, as usual, the maximum is to be taken on all Eve's 
attacks compatible with the measured parameters. 



B. BB84 coding: lower bounds 

In the BB84 coding, the probability that Bob accepts 
an item depends only on the fact that he has used the 
same basis as Alice, which happens with probability p a ift- 
Therefore, writing i>s = vsPsift, we have 



Rn 



VSPA{n) fn 



(27) 



where f n is the probability that Eve forwards some sig- 
nal to Bob for n-photon pulses. Eve's attack must be 
optimized over the possible {f n }n>o compatible with 
= Now we consider different implementations 
of this coding. 



2006 ; iGottesman. Lo. Lutkenhaus and Preskilll . 12004 
Kraus. Branciard and Rennerl . l2007l ). Therefore (f2"6")l be- 
comes 



Ie = max \Yih(si) 

Eve 



min {Yo + Yill-hfa)]} 

Eve 



(28) 



2. P&M without decoy states 

In P&M schemes without decoy states, the only mea- 
sured parameters are R and Q. We have to assume 
£n>2 = 0; therefore we obtain e\ = Q/Y\. From this and 
(|28|) . we see 52 that Eve's optimal attack compatible with 
the measured parameters is the one which minimizes Y\ , 
a situation which is obviously achieved by setting /o = 
and f n >2 = !■ One finds then 



Yi 



l-{D s /R)p A {n>2). 



(29) 



As a conclusion, for BB84 in a P&M scheme without 
decoy states, the quantity to be subtracted in PA is 

I E = l-Fi[l-/i(Q/Yi)]; (30) 

the corresponding achievable secret key rate (f2"5")l is 

K = R\Y 1 {l-h{Q/Y 1 ))-]Bak E c{Q)\ (31) 



where Y\ is given in (|29|) . As expected, K contains only 
quantities that are known either from calibration or from 
the parameter estimation of the protocol [R, Q) . 



3. P&M with decoy states 



1. Prepare-and-Measure: Generalities 

In P&M BB84, I AE = Ibe- On the events when Al- 
ice sends no photons (n = 0) bu t Bob has a detection, 
the intuitive result Ie.o = (Lo. 2005) has indeed been 
proved (|KoashiL [2006b). On the single-photon pulses, 
Eve can gain information only at the expense of intro- 
ducing an error ey, the maximal information that she can 

obtain this way is I E .i h{e\) where h is binary entropy 

( Shor and Pres kill. 2000). A possible demonstration of 
this well-known result is given in AppendixfAJ For multi- 
photon pulses, the best attack is the PNS attack in which 
Eve forwards one photon to Bob a nd keeps the others: i.e . 
for n > 2, e n — and Ie,u — 1 ( Fung. Tamaki and Lol . 



51 More explicitly, this formula should read Ie = mm(lAEt Ibe) 
with I AE = max Eve ^2 Y n I AE,n and similarly for I BE . 
In the de velopment of QKD, this formula was derive d first 
for BB84 (Gottcsman. Lo, Lutkenha us and Pres kill. 2004), then 
for SARG04 l lFune. Tamaki and Let |2006|). then generalized 
to all discrete-variable protocols l|Kraus. Branciard and Rennerl . 
12007ft . 



The idea of decoy states is simple and deep. Alice 
changes the nature of the quantum signal at random 
during the protocol; at the end of the exchange of quan- 
tum signals, she will reveal which state she sent in each 
run. This way, Eve cannot adapt her attack to Al- 
ice's state, but in the post-processing Alice and Bob 
can estimate their parameters conditioned to that knowl- 
edge. The fir s t prop osal using one- and two-photon sig- 
nals ( Hwang) . 120031 ) was rapidly modified to the more 
realistic implementatio n in which Alice modulates the 
inten sity of the laser ( Lo. Ma and Chenl . 120051 : IWand . 
2005). As we mentio ned, several experiments have al- 
ready been perfo r med dMa et aLl.l2006l:lPeng et all 12007 



Rosenberg et all. [20071 ; lYuan, Shame and Shields! 12007 
Zhao et all l2006h. more recently even including finite- 



key effects ( Hasegawa et ctZ.I . l2007t ). 

Let £ be some tunable parameter(s) in the source, the 
typical example being £ = p the intensity (mean photon- 
number) of a laser. Alice changes the value of £ randomly 



52 First proved in (Inamori, Lutkenhaus and Mayers, 2001-2007) in 
the context of unconditional security. 
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from one pulse to the other; at the end of the exchange of 
quantum signals, Alice reveals the list of values of £ € X, 
and the data are sorted in order to estimate the parame- 
ters separately for each value. With this simple method, 
Alice and Bob measure 2\X\ parameters, namely the w- 
and the Q*. 

The set X is publicly known as part of the protocol; but 
if \X\ > 1, Eve cannot adapt her strategy to the actual 
value of £ in each pulse, because she does not know it. 
Therefore, /„ and e„ are independent of £; in particular, 
= pa(jA£) f n . The measured parameters 



n>0 



and g« = ^^| e „ 



n>0 



(32) 



define a linear system with 2\X\ equations for the f n and 
the e n . The optimization in (|28p must then be performed 
using the lower bounds for Y^ and the upper bound for 
£j as obtained from the measured quan tities {FP, Q^}$£X 
( Tsurumaru. Souiaeff. Takeuchil l2008h . In practice, the 
meaningful contributions are typically the n = 0,1,2 
terms, and a decoy-state protocol with \X \ = 3 re aches 
very close an exact determination ( Havashi , l2007fj) . For 
simplicity, here we suppose that all the f n and s n have 
been determined exactly 53 . Also, we consider a protocol 
in which the classical post-processing that extracts a key 
is done separately on the data that correspond to differ- 
ent £. For each £, the quantity to be subtracted in PA 



,54 



4 = l-Yt-Yftl-hfa)] 



(33) 



with Yq X — Rq 1 /R^ and the corresponding achievable 
secret key rate is 

= Rt [r ? + Y 1 «(l-/i(e 1 ))-leak f;c (Q«)] .(34) 

The total secret key rate is K = K^, where the sum 
is taken on all the values of £ such that > 0. If 
the classical post-processing were done on the whole raw 
key, the total secret key rate would read K — R[l — 

leakEC'iQ)] — J2^^^e- The two expressions coincide if 
there exists a £ which is used almost always. 



4. P&M: analytical estimates 

Alice and Bob can optimize K by playing with the pa- 
rameters of the source, typically the intensity. A rigorous 
optimization can be done only numerically. In this para- 
graph, we re-derive some often-quoted results for P&M 



As a side remark: one might find £ n >2 > 0, but this does not 
modify the discussion in Sec. IIV.B.1I about the optimal attack. 
Indeed, Eve might have performed the attack that gives £ n >2 = 
0, then added some errors "for free" . 
Note the presence of Y~ in the next two equations. 



implementations of BB84. For this a priori estimate, one 
has to assume that some "typical" values for the R n and 
the Q n will indeed be observed. As stressed above, se- 
curity must be based on the actually measured values: 
what follows provides only guidelines to start working 
with the correct orders of magnitude. Here, we chose to 
work in a regime in which the rate of detection of true 
photons is much larger than the dark count rate. For 
simplicity, we also assume optimal error correction, so 
that leak EC (Q) — h(Q). 

The reference case is the case of single-photon sources, 
for which the meaningful scheme is P&M without decoy 
states. For this source, Pa(1) = 1 therefore Y± = 1; the 
expected detection rate is R = vsttBi], and Eq. (J3TJ) 
yields immediately 

K v s tt B r) [1 - 2h(Q)} (single photon) . (35) 

As expected, K scales linearly with the losses in the line 
and the efficiency of the detector. 

The most widespread source in P&M schemes are at- 
tenuated lasers. The estimate can be made by consid- 
ering only the single-photon and the two-photon emis- 



sions: VA\X) 



lie 



p A {2) = m e' tl /2. The expected 



detection rate is R = tBV- The important feature, 
which is absent in the study of single-photon sources, is 
the existence of an optimal value for the intensity /i, a 
compromise between a large R and a small pa{2). We 
focus first on implementations without decoy states. We 
can set Pa(1) ~ M an d Pa(2) ~ /^ 2 /2, but still, the op- 
timal value of fi cannot be estimated exactly in gen- 
eral, because Yi = 1 — 2 tt B v depends on /i and ap- 
pears in a non-algebraic function. Let us then con- 
sider first the limiting case Q = 0: Eq. (|3"Tj) becomes 
K/vs ~ ^ittBT] — M 2 /2, w hose maxima l value is ^(ttsv) 2 
obtained for fi = ttsi] ( Lutkenhaud . |2000T) . To obtain 



estimates for the Q > case, we can make the approx- 
imation of using to compute Y\, i.e. to set Y\ = h. 
Then, the optimization of Eq. (|31| is also immediate: 
writing F{Q) = 1 — h(2Q) — h(Q), the highest achievable 
secret key rate is 

K 1 

-r—- — ~ r Vopt F{Q) (laser, no decoy) (36) 
vsttsri 2 

obtained for the optimal mean photon number 



l^opt 



t t B r\ 



HQ) 
1 - h(2Q) 



(37) 



Let us now perform the estimate for an implementa- 
tion using decoy states. The decoy consists in varying 
the intensity of the laser from one pulse to the other, 
so that the general parameter £ is in fact fi. We sup- 
pose that a given value /i is used almost always (and 
this one we want to optimize), while sufficiently many 
decoy values are used in order to provide a full parame- 
ter estimation. The expected values are i? M = i>slJ-ttBr], 
Ri = DsHe^^ttBi] and E\ = Q. Inserted into Eq. (jM)) . 
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one obtains K w vs^ttBn[e M (l — HQ)) ~ HQ)}': using 
« 1 — /i, this expression reaches the maximal value 



K 



1 



v s tt B r\ 2 
for the optimal mean photon number 



A*opt [1 — 2/i(Q)] (laser, decoy) (38) 



f^opt 



1 - 



HQ) 
I -HQ) 



(39) 



Let us summarize. Without decoy states, jj, opt ~ t and 
consequently K oc t 2 : the larger the losses, the more 
attenuated must the laser be. The reason are PNS at- 
tacks: Alice must ensure that Eve cannot reproduce the 
detection rate at Bob's by using only photons that come 
from 2-photon pulses (on which she has full information) . 
With decoy states, one can determine the fraction of 
detections that involve photons coming from 2-photon 
pulses; if this fraction is as low as expected, one can ex- 
clude a PNS attack by Eve — as a benefit, the linear 
scaling K cx t is recovered. This is the same scaling ob- 
tained with single-photon sources, with the obvious bene- 
fit that lasers are much more versatile and well-developed 
than strongly sub-Poissonian sources. Another interest- 
ing remark is that, both with and without decoy states, 
Mop* ~ ^Mcrit, where the critical value fi C rit is defined as 
the one for which K « 0. In other words, an intensity 
double than the optimal one is already enough to spoil all 
security. In implementations without decoy states, where 
fi decreases with t, this calibration may be critical at long 
distances. 



5. Entanglement-Based 

If Alice holds the down-conversion source, as is the 
case in almost all the EB QKD experiments performed 
to date 55 , an EB scheme is equivalent to a P&M one (see 
III.B.2I) so the corresponding security proofs could be ap- 
plied. The only specific difference to address concerns 
the events in which more than one pair is produced in- 
side a coincidence window. As described in Sec. III. E. 31 
two kinds of such contributions exist and Eve is able to 
distinguish between them: 

• A fraction of the multi-pair events contain partial 
correlations in the degrees of freedom used for sym- 
bol encoding; thus, Eve can get information on the 
key bit by some form of PNS attacks. This situ- 
ation is similar to the multi-photon case in P&M 
schemes, although here it is difficult to determine 
exactly the amount of information that leaks out. 



To be on the safe side we will suppose that Eve can 
obtain full information without introducing any er- 
rors. 

• The other, usually much larger fraction of multi- 
pair events consists of independent uncorrelated 
pairs. In this case Eve cannot obtain any informa- 
tion on Bob's symbol using the PNS attack. She 
can only apply "standard" single particle attack. 
We suppose that Eve can somehow find out which 
one of multiple pairs were selected by Alice's detec- 
tor, so we treat all such multi-pair contributions as 
if they were single pairs. 



Therefore Eq. 



is replaced by 



lB<K + Ylh[ff 



(40) 



where Y{ is the fraction of single-pair plus uncorrelated 
multi-pair events and Y^ is the fraction of multi-pair 
events which are (partially) correlated in the degree of 
freedom the information is encoded in. Explicitly, 



Y ; n =p A {n>2) V -^C 



(41) 



with £ being the ratio of the number of partially corre- 
lated multi-pair contributions to all multi-pair contribu- 
tions (see Sec. lII.E.3|) . In total Y r ' n + Y{ = 1. Finally, the 
achievable secret-key rate reads 



K = R [Y{ (1 - h(Q/Y{)) - leak BC (Q)] 



(42) 



Recall that these formulas apply to implementations, in 
which the source is safe on Alice's side. Notice also that 
two different sorts of multi-pair contributions are consid- 
ered and for each of them different eavesdropping strat- 
egy is assumed. However, in reality there is a smooth 
transition between correlated and uncorrelated pairs. All 
multi-pair events which exhibit non-negligible correla- 
tions must be counted as correlated. 

Recently security has been demonstrated also for EB 
systems, in which the source is under Eve 's control 



(jMa. Fung and Lol [2007) . The authors describe the con- 
ditions, under which the whole object "Eve's state prepa- 
ration and Alice's measurement" behaves like an un- 
characterized source i n the sense of Koashi and Preskill 
( Koashi and Preskilj 120031 ) . Alice has a box where she 
can dial a basis and gets an information bit from her box 
indicating which signal (0 or 1) was sent. Whatever state 
Eve prepares, when she gives one part into Alice's box 
and Alice chooses a measurement, then the average den- 
sity matrix outside this box is independent of this choice 
(assuming that the no-click event probability is basis in- 
dependent). 56 On Alice's side no Hilbert space argument 



We are aware of a s i ngle c ase, in which the source was in the 
middle llErven et all |200^ . As we shall discuss below in this 
paragraph, security proofs have been provided also for this situ- 
ation. 



This is clearly true for an active basis choice. In case of the pas- 
sive basis selection some additional assumptions on the detection 
may be necessary. 
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is needed, but on Bob's side the squshing property of the 
detection is required (see IIV.A.2p . The formula for the 
achievable secret-key rate then reads 



where 



K = R[l-h(Q)-\eak EC (Q)} 



(43) 



Formally, this is the same as obtained in a P&M scheme 
using single photons [Eq. (|3"Tj) with Y\ = 1]. As such, 
it is a remarkable result: it states that, under the as- 
sumptions listed above, all the deviations from a perfect 
two-photon source — in particular, the presence of multi- 
photon compo nents — are taken care of b y measuring the 
error rate Q (jKoashi and Preskilll . l2003h . Besides, it has 
been found that the EB QKD can tolerate higher losses 
if the source is placed in the middle between Alice and 
Bob r ather than if it is in Alice's side dMa. Fung and Lot 
120071 : IWaks. Zeevi and Yamamotd . l2002r i. 

Finally, we note that very recently another proof of the 
security of entanglement-based systems with real detec- 
tors was proposed, that does not rely on the squashing 
property but rather on the m easurement of the double- 
click rate (|Koashi et a/.l . 120081 1. 



C. BB84 coding: upper bounds incorporating the 
calibration of the devices 



As explained in Sec. IIII.B.51 the bounds for uncon- 
ditional security are always found for the uncalibrated- 
device scenario, which is over-pessimistic. It is instruc- 
tive to present some upper bounds that take the calibra- 
tion of the devices into account: the comparison between 
these and the lower bounds will determine the "realm of 
hope" , i.e. the range in which improvements on K may 
yet be found. Clearly, the contribution \eakEc{Q) of er- 
ror correction is independent of the scenario: one has to 
correct for all the errors, whatever their origin. The dif- 
ference appears in the quantity to be removed in privacy 
amplification. 



1. Statistical parameters 

In order to single out the parameters of the devices, 
one has first to recast the general notations (jlV.A.ip in 
a more elaborated form. The detection rates must be 
explicitly written as 



Rn 



Rn 



Rn 



(44) 



where R n , P is the contribution of detections and R n .d is 
the contribution of dark counts. Since Eve can act only 
on the first part, it is convenient to redefine Y n — R UtP /R, 
so that J2 n Yn = Y < 1. The errors on the line e„ are 
introduced only on the photon contribution, while the 
dark counts always give an error rate of ^; therefore the 
total error is 



Ye + 6 



(45) 



E 



n>l Y 



and 5 



1-Y 
2 



Note that the content of this paragraph is not specific 
to BB84: but all that follows is. 



2. Upper bounds 

To derive an upper bound, we use a simple recipe, 
which consists in following closely the calculations of the 
previous subsection HV.Bl and just making the necessary 
modifications, although this is known to be sub-optimal 
and no squashing model is known in this situation to jus- 
tify the assumption. In particular, Eve is still supposed 
to forward to Bob at most one photon, although this is 
known to be sub-optimal. Therefore 

Rn, P = vsPA{n)f n t B ri (46) 
Rn,d = vsPA(n)(l - f n t B r))2pd (47) 

where p d is the dark count rate. Note the presence of 
tsT} in these formulas: the detector efficiency has not 
been incorporated into /„. Extracting fntsV from these 
equations, one finds 



Y = (l-2p d u s /R)/(l-2p d ) 



(48) 



which means that the ratio between detections and dark 
counts depends only on the total detection rate R. Also, 
for our simple recipe, it is immediate that the modifica- 
tion of the general expression (f2"8"|) reads 



Ie 



max [Yife(ei) + (Y - YA) 

Eve 1 v ' v /J 



Y 



min Yi[l 

Eve 



h(ei)} 



(49) 



We restrict now to the P&M schemes. In the imple- 
mentation with decoy states, the Y n and the e n are known, 
so the only difference with the uncalibrated-device for- 
mula (l34l) is the role of dark counts: 



if (1 - hie!)) + 2<5« - leak £C (<3 5 )l (50) 



where Y$ is replaced by the very slightly larger term 57 
28^ = 1— y*. Things are different for the implementation 
without decoy states, because now Y\ and e± are not di- 
rectly measured, only R and Q are. Since we are suppos- 
ing that the optimal strategy is still such that e„>2 = 
and f n >2 = 1, we have 



Y, = Y- t BV ^§p A (n> 2) 



and £\ — 



Q-S 



(51) 



57 In the notation of this paragraph, the previous Yo would read 
Ro/R = Ro,d/R\ wn » e 25 = J2 n >o R n,d/R- Note that, strictly 
speaking, i?o = Ro.d is an assumption: a priori, one can imagine 
that Eve creates some photons to send to Bob also when Alice is 
sending no photons — but we don't consider here such a highly 
artificial situation. 
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Note that Y\ can be significantly larger than in the 
uncalibrated-device scenario, eq. (|2"5|) : in fact, although 
Y is slightly smaller than one, the term to be subtracted 
is multiplied by tsTj. This difference is specifically due 
to the fact that Eve is not supposed to influence the ef- 
ficiency of the detector. Finally, one obtains 

K = R [Yi (1 - h(ei)) + 2S- \eak EC {Q)} (52) 

with the expressions (|?T|) and with 25 = 1 — Y. 



D. Bounds for the SARG04 coding 

We sketch here the analysis of SARG04 because it con- 
tains a certain number of instructive differences with re- 
spect to BB84. Here we note i>s — because Bob 
must always choose the bases with probability i, even 
if Alice would almost always use the same set of states. 
The raw key rates are different from those of BB84. For 
definiteness, suppose that Alice send | + x) , so the bit is 
accepted if Bob finds "— ". If Bob measures X, he ac- 
cepts the bit only if he obtains "— ", but this can only 
be due to an error. We write i?™ = vsPAip) f n e n where 
the relation of e n to the induced error rate e n will be 
computed just below. If Bob measures Y , he gets "— " in 
half of the cases 58 and the bit value is correct. So 



Rn 



vsPA{n) f n {^ + . (53) 



We see that the detection rate increases in the presence 
of errors, contrary to BB84 where the detection rate is 
determined only by p si f t . The error rate is 



(54) 



for a given perturbation e n in the quantum channel, the 
error introduced in SARG04 is roughly twice the error 
£n = £n which would be introduced in BB84. 

The protocol can be analyzed following the same pat- 
tern as the one presented for BB84. Here we just review 
the main results: 

• SARG04 was invented as a method to reduce the 
effect of PNS attacks, taking advantage of the fact 
that Eve cannot e xtract full information fr o m the 
2-photon pulses (lAcfn, Gisin and Scaranil . 12004 
IScarani. Acm. Ribordv and Gisinl . 12004 ). This ini- 
tial intuition has been confirmed by all subsequent, 
more rigorous studies. In particular, it was proved 



58 As such, this statement contains an assumption on Eve's attack, 
namely Tr[cr y p(±x)] = where p(±x) is the state received by 
Bob after Eve's intervention, when Alice has sent | ± x) . But 
the result holds in general for the average detection rate, if Alice 
prepares all four states with equal probability. 



that a fraction of fully secure secr et key can be ex- 
tract ed from the 2-photon pulses ( Tamaki and Lot 
2006), and that in implementations using weak co- 
herent lasers and without decoy states, for small 
error rate SARG04 performs indeed better than 
BB84 and sh ows a scaling ~ t 3//2 a s a function of 
the distance {B ranciar d et all 120051: iKoashl 120051: 
iKraus. Branciard and Rennerl . 120071 ). 

• In the literature one finds the claim that, when 
implemented with de coy states, SARG04 pe r forms 
worse than BB84 (iFung. Tamaki and Lot l2006t 
IKraus. Branciard and Rennerl . 20071 ). This must 
be properly understood: decoy states are a method 
to gain additional knowledge on Eve's attack. If 
this method does not reveal any PNS attack (as 
it will be the case in most experiments, because 
losses appear random and therefore Eve is acting 
as a beam-splitter), indeed the BB84 rate is better 
than the one of SARG04. However, if one would 
find that Eve is actually performing a PNS attack, 
SARG04 would of course be more robust, consis- 
tently with what we wrote in the previous item. 

• An interesting case arises if one considers im- 
plementations with single-photon sources. The 
first unconditional security bound yielded that 
SARG04 tolerates a smaller QBER than BB84 
( Tamaki andTol 120061) . But this bound was im- 
proved shortly later: the optimal Ie,i, which is 
not known analytically but can easily be com- 
puted numerically, goes to zero for Si « 11.67% 
( Kraus. Branciard and Rennerl . |2007| ). This im- 
proved value is slightly better than the correspond- 
ing value for BB84, E\ i=a 11.0%: it seems therefore 
that SARG04 would perform better than BB84 also 
in a single-photon implementation. The picture is 
however different if one relates the error rate to the 
parameters of the channel, typically the visibility 
of interference fringes: this parameter is related to 
the ones introduced here through e\ = 1 "I . For 
BB84, €\ — E\ and consequently the critical visibil- 
ity is V « 78%; while for SARG04, because of (5T 
the critical visibility is worse, namely V ~ 87%. 



V. CONTINUOUS-VARIABLE PROTOCOLS 



A. Status of security proofs 



In 

curity 

tive 

iNavascues. Grosshans and Acini . 



the case of Gaussian 
has be en proved 
attacks (IGarcia-Patron and Ceril . 

2006h . 



modulation, se- 
against collec- 



2006; 
We shall 

present this bound below (|V.B[) and use it for the 
comparison with the other platforms (|VII[) . There is 
some hope that the same bound would hold also for the 
most general attack, as it is the case for discrete- variable 
systems: in particular, we note that the "intuitive" 
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reason behind that equivalence piI.B.2[) would apply 
also to CV pro tocols. U nfortunately, the exponential de 
Finetti bound ( Renneri . l2007h does not help because it 
cxplicitely depends on the dimension of the quantum 
signals. On this issue, see Note add in proof at the end 
of this paper. 

In the case of discrete modulation, the security status 
is even less advanced. Technically, the difficulty lies in 
the fact that the raw key is made of discrete variables 
for Alice, while Bob has a string of real numbers. A 
full analysis has been possible only in the case where the 
quantum channel does not add excess noise to the signal, 
so that the observed conditional variances still describe 
minimum uncertainty states. In this case, the eavesdrop- 
per's attack is always describable as a generalized beam- 
splitting attack, simulating the observed loss. The corre- 
sponding key rates depend on the classical communica- 
tion protocols chosen (with or without post-selection of 
data, in reverse or direct reconciliation); the best known 
protocol involves a combination of post-selection and re- 
verse reconciliation, especially when the error correction 
algorit hms work away from th e asym ptotic Shannon effi- 
ciency ( Heid and Liitkenhausl . 120061) . In the presence of 
excess noise, the formula for the key rate is the object of 
ongoing research; it has at least been possible to derive 
entan glement witnesses ( Rigas. Giihne and Liitkenhausl . 
2006). Entanglement verification has been performed 
and has shown that excess noise in typical installations 
does not wipe out the quantum correlation within t he 
experimentally accessible domain ( Lorenz et aZ.I . l2006h . 

Finally, in all works on CV QKD with no exception, 
it has been assumed that Eve does not act on the local 
oscillator 59 — of course, she is allowed to have access 
to it in order to measure quadratures. Since the local 
oscillator travels through Eve's domain, this assumption 
opens a security loophole 60 . Note that a similar situation 
burdened until very recently the security of Plug&Play 
configurations, for which finally unconditional security 
could be proved (see III.H.2P ; it is not clear however that 
the same approach will work here, since the strong pulses 
have very different roles in the two schemes. In any case, 
the open issue just discussed, together with the fact that 
the existing exponential de Finetti theorem does not ap- 
ply to infinitely-dimensional systems, are the main rea- 



59 This amounts at viewing the local oscillator as an authenticated 
channel, building on the closeness to classical signals. In an alter- 
native set-up, this problem can be circumvented by Bob measur- 
ing the phase of the local oscillator, followed by the recreation 
within Bob's detect or of a local oscillator with the measured 
phase llKoashil.12003) . 

60 For the setups as they have been implemented, all observed cor- 
relations are compatible with an intercept/resend attack involv- 
ing both the signal and the local oscillator. Security against 
this specific attack can be easily recovered by simple modifica- 
tions of the setups, for example the independent measurement 
of the intensity of the phase reference pul se and the signal pulse 
llHasele r. Morode r and Lutkc nhaus, 20081). 



sons unconditional security proofs are not available yet 
for CV QKD. 

As mentioned earlier (|II.D.3jl . continuous variable 
protocols show interesting features also on the classical 
part. In contrast to typical discrete variable protocols, 
where losses simply reduce the number of detected 
signals, continuous variable protocols will always detect 
a result, so that loss corresponds now to increased noise 
in the signal. Two main methods have been formu- 
lated to deal with thi s situation at the protocol level : 
reverse reconciliatio n dGrosshans and GrangierL l2002af ) 
and post-selection (jSilberhorn et all 120021 ). The first 
method can be realized using one-way EC schemes, but 
turns out to be sensitive to the efficiency of those very 
schemes. Its main advantage is that its security can be 
rigorously assessed versus general collective attacks (and 
has been conjectured to hold even for coherent attacks) 
In contrast, the second method can use both one-way and 
two-way EC schemes, and is fairly stable even if those 
schemes do not perform at the Shannon limit. However, 
its security can be analyzed only by making assumptions 
on Eve's interception (see below). The status of its 
security is not clear even for general individual attacks. 
Note that for close-to-perfect EC, reverse reconciliation 
outperforms post-selection. While progress is being 
made in the efficiency of EC schemes, it turns out that 
a combination of post-selection and reverse reconcilia- 
tion provides a practical solution to obtain reasonable 
rates with current technology, both for discrete- 



modulation (jHeid and Liitkenhausl. 2006h and for 
Gaus sian-modulation protocols (jHeid and Liitkenhausl . 
I2007D . 



B. Bounds for Gaussian protocols 

1. Generalities 

As announced, we provide an explicit security 
bou nd for coherent-state homodyne -detection protocol 
of ( Grosshans and Grangieri 12002a 1 ). Like all Gaus- 
sian protocols, this prepare-and-measure protocol can be 
shown to be equivalent to an e ntanglement-based scheme 
(jGrosshans. Cerf et ali . [2003h . In such a scheme, Alice 
prepares an EPR state — more precisely, the two-mode 
squeezed vacuum state (|15p . By applying an heterodyne 
measurement on mode A, she prepares in the second 
mode of the EPR pair a coherent state, whose displace- 
ment vector is Gaussian distributed in x and p. Then, 
Bob applies a homodyne measurement on mode B, mea- 
suring quadrature x or p. It can be shown that reverse 
reconciliation is always favorable for Alice and Bob, so 
we have to compute Eq. (|2ip with Ieb on the right hand 
side. 

It has been proved that Eve's opti- 
mal attack is Gaussian for both individual 
(iGarcia-Patronl 



2007 



Grosshans and CerJ . |2004 
lLodewvck. Debuisschert et ai , 20071) and col- 
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lective attacks (iGarcfa-Patron and Cerfl . l2006t 
iNavascues. Grosshans and Acid . 20061 ). We can there- 
fore assume that Eve effects a Gaussian channel, so 
that the quantum state pab just before Alice and 
Bob's measurements can be assumed to be a Gaussian 
two-mode state with zero mean value and covariance 
matrix jab- 

The Gaussian channel is characterized by two parame- 
ters: the transmittance, which here, since we work in the 
uncalibrated-device scenario, is tr\ with r\ the efficiency 
of the detectors; and the noise S referred to the input of 
the channel 61 . Since the two- mode squeezed state (TT5)) 
is also symmetric and has no correlations between x and 
p, the resulting covariance matrix of modes A and B can 
be written in a block-diagonal form, 



with some thermal noise v e i 
tector), giving 62 



(electronic noise of the de- 



6 h = 



1 



Vel 



1 . 



(59) 



The third term e is the excess noise (referred to the in- 
put) that is not due to line losses nor detector imper- 
fections. For a perfect detector, it can be viewed as the 
continuous- variable counterpart of the QBER in discrete- 
variable QKD; it is zero for a lossy but noiseless line. 



3. Information Alice-Bob 



with 




(55) 



In the EB version of the coherent-state pr otocol con- 
sidered here ( Grosshans and Grangierl . l2002al) , Alice per- 
forms heterodyne detection, so her uncertainty on Bob's 
quadratures is expressed as 



x(p) 
lAB 



v ±y / tri(v 2 - 1) 

±yjtr)(v 2 - 1) tr}(v + 5) 



(56) 



where the signs + and — correspond to and 7^ B , 
respectively. Here, v is the variance of both quadratures 
of Alice's output thermal state expressed in shot-noise 
units, that is, v = va + 1, va being the variance of Alice's 
Gaussian modulation. 

For what follows, it is convenient to define vx\y, the 
conditional variance that quantifies the remaining uncer- 
tainty on X after the measurement of Y: 



vx\y = {x 2 ) - (xy) 2 /(y 2 ) , 



(57) 



expressed in shot- noise units. 



2. Modeling the noise 

The noise S is the total noise of the channel Alice-Bob. 
It can be modeled as the sum of three terms: 



1-t 



S_h 
t 



+ e. 



(58) 



The first term (1—t) jt stands for the loss- induced vacuum 
noise (referred to the input); this term is at the origin 
of the higher sensitivity to losses of continuous-variable 
QKD. The second term stands for the noise added by the 
imperfection of the homodyne detection. This is modeled 
by assuming that the signal reaching Bob's station is at- 
tenuated by a factor r\ (detection efficiency) and mixed 



V B\A, 



tr)(S + l). 



(60) 



The mutual information between Alice and Bob is there- 
fore given by 



I{A:B) = ilog 2 



Vb 



V B\A, 



~log 2 



S + v 



.(61) 



As mentioned above, the main bottleneck of continuous- 
variable QKD schemes comes from the heavy post- 
processing that is needed in order to correct the errors 
due to the vacuum noise that is induced by the line losses. 
In practice, the amount of information left after error 
correction will be a fraction j3 of I (A : B). This value 
has an important effect on the achievable secret key rate 
and the limiting distance (as we shall discuss below, for 
(3 = 1 a secure key can in principle be extracted for ar- 
bitrarily large distances). This provides a strong incen- 
tive for developing better reconciliation algorithms. The 
first technique that was proposed to perform continuous- 
variable error correctio n relied on a so-called "sliced 
recon ciliation" method ( Van Assche. Cardinal and Cerfl . 
I2004D . and gave an efficiency /3 « 80%. These al- 
gorithms have been improved by using turbo-codes 
( Nguyen. Van Assche and Cerfl. 2004) an d low-density 
parity codes fLDPC) ( |Bloch et all 120051). which both 
allow to work with noisy data, hence longer distances. 
More recently, multi-dimensional reconciliation algo- 
rithms have been introduced, which allow to deal with 
even noisier data w hile keeping sim i lar or higher recon- 
ciliation efficiencies (|Leverrier et al I l2008h . 



1 The observed noise in channels such as optical fibers is typically 62 Replacing the expression for 5^ into H58I I. one obtains <5 = (1 — 
symmetric and uncorrelated in both quadratures x and p (there tr\ + v e {)/(trj) + e, which depends only on tr) as it should in the 

is no preferred phase), so we restrict to this case here. uncalibrated-device scenario. 
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4. Individual attacks 

To become familiar with the security analysis, we first 
present individual attacks. In order to address the secu- 
rity of the protocol, we assume as usual that Eve holds 
the purification of pab- Then, by measuring their sys- 
tems, Alice and Eve project Bob's share of the joint pure 
state \^abe) onto another pure state (we may assume 
without loss of generality that Eve's projection results 
from a rank-one POVM). Applying the Heisenberg un- 
certainty relation on the pure state held by Bob condi- 
tionally on Alice and Eve's measurements, we have 



Vx b \eV Pb \a > 1, v Pb \ e v Xb \ A >1, 



(62) 



where Xb and Pb are the canonically conjugate quadra- 
tures of Bob's mode. Equation (|6"2")) can be written as a 
single uncertainty relation 



vb\ev b \a 



> 1 



(63) 



where B stands for any quadrature of Bob's mode. This 
inequality can be used to put a lower bound on the un- 
certainty of Eve's estimate of the key in reverse reconcil- 
iation, that is, when the key is made out of Bob's data 
while Alice and Eve compete to estimate it. 

Now, v B \a is not necessarily given by ([60|) : Eve's at- 
tack cannot depend on how the mixed state sent by Al- 
ice (i.e., the thermal state) has been prepared, since all 
possible ensembles are indistinguishable. An acceptable 
possibility is Alice performing homodyne measurement, 
or, equivale ntly, preparing squeezed states jus t as in the 
protocol of ( Cerf. Lew and Van Asschel . 12001); in which 
case we obtain 



vb\a = tr]{5 + V u ) ■ 



(64) 



It can be shown that this is the lowest possible value of 
VgiA, hence from (j6"3")) 



vb\e 



> 



trj(5 + l/v) 



(65) 



This gives a bound for I(B : E), so the extractable se- 
cret key rate under the assumption of individual attacks 
becomes 



r = I (A : B 
1 



> 



log 2 



I(E : B) 
1 



1 



■l°g 2 



v b\e 



V B\A, 



(66) 



as shown in ( Grosshans. Van Assche et all [20031) . Note 
that the scheme that implements the optimal attack (sat- 
urating this bound) is the entang lement doner defined in 
(jGrosshans and Grangie r. 2002b). Using Eq. ([55]). it ap- 



pears that in the case of high losses (trj — ► 0) and large 
modulation (v — > oo), the secret key rate r remains non- 
zero provided that the excess noise satisfies e < 1/2. This 
is a remarkable result, due to reverse reconciliation: for 



direct reconciliation, obviously there can be no security 
when Eve has as much light as Bob, i.e. for trj < |. 

A similar reasoning can be followed to derive the se- 
curity o f all Gaussian QKD p rotocols against individual 
attacks ( Garcfa-Patr6nll2007l ). The only special case con- 
cerns the coherent-state heterodyne-detection protocol, 
whose sec urity study against indiyidual attacks is more 
invol ved ( Lodewvck and Grangierl l2007t ISudiana et all 
I2007D . 



5. Collective attacks 

The security of the coherent-state homodyne-detection 
scheme against the class of collective attacks has 
been fully studied. The corresponding rates were 
first provided assuming t hat E v e's collective attack 

is Gaussian (Gr osshansl . 120051 : H avascues and Acini 

12005b . Later on, it was proved that this choice 
is actually optimal (iGarcfa-Patron and CerA 120061: 
iNavascues. Grosshans and Acini . 20061 ). This implies 
that it remains sufficient to assess the security against 
Gaussian collective attacks, which are completely charac- 
terized by the covariance matrix ^ab estimated by Alice 
and Bob. A long but straightforward calculation shows 
that 



X(B:E) = s(Ai)+0(A a )-s(A 3 ) 



(67) 



where g(x) = (x + 1) log 2 (x + 1) — x log 2 x is the entropy 
of a thermal state with a mean photon number of x and 



Afe = Mj-^ where 



A?, = \{A±y/A*-AB) , Xj = v 



1 + vS 

v + S 



(68) 



with A = v 2 (l-2trj) + 2tr]+[tr](v + S)} 2 and B = [trj(vS + 
I)] 2 . 

In conclusion, the secret key rate achievable against 
collective attacks is obtained by inserting expressions 
(lfJT|) and ([ST]) into 



K = R [f3I(A : B) - X (B : E)] 



(69) 



Finally, we note that the optimality of Gaussian attacks 
is actually valid also for protocols that use heterodyne 
detection; a bound for security against Gaussian collec- 
tive attacks in these protocols has been p rovided recently 
( Pirandola. Braunstein and Llovdl l2008h . 



6. Collective attacks and post-selection 

In the case where all observed data are Gaussian, in- 
cluding the observed noise, we can again provide a se- 
curity proof which also allows to include post-selection 
of data in the procedure. The starting point of this se- 
curity proof is the protocol with Gaussian distribution 
of the amplitude together with the heterodyne detection 
by Bob. In this case, in a collective attack scenario, we 
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can assume a product structure of the subsequent sig- 
nals, and the density matrix pab of the joint state of 
Alice and Bob is completely determined due to the to- 
mographic structure of the source replacement picture 
and the measurement. In this scenario, we can therefore 
determine the quantum states in the hand of the eaves- 
dropper as Eve holds the system E of the purification 



ABE 



Of PAB- 



Let us consider the situation where all observed data 
in this scenario are Gaussian distributions, which is the 
typical observation made in experiments. Note that this 
is an assumption that can be verified in each run of the 
QKD protocol! In principle, one can now just use the 
standard formula for the key rate in the collective sce- 
nario, Eq. (jnU). However we would like to intr oduce a 
post-selection procedure ( Silberhorn et all l2002h to im- 



prove the stability of the protocol against imperfections 
in the error correction protocol. 

To facilitate the introduction of post-selection, we add 
further public announcements to the CV QKD proto- 
col: Alice makes an announcement 'a' consistent of the 
imaginary component a y and the modulus of the real 
component \a x \ of the complex amplitude a of her sig- 
nals. That leaves two possible signals state open. Sim- 
ilarly, Bob makes an announcement 'b' which contains 
again the complex component (3y and the modulus \(3 X \ 
of the complex measurement result f) of her heterodyne 
measurement. That leaves, again, two possible measure- 
ments from Eve's point of view. For any announcement 
combination (a, b) we have therefore an effective binary 
channel between Alice and Bob. As the purification of 
the total state pab is known, we can calculate for each 
effective binary channel a key rate 



AJ(o, b) = max {(1 - f(e a < b )h[e a ' b ] - X a ' b ), 0} . (70) 



This expression contains the post-selection idea in the 
way that whenever 1 — ft,[e a,fc ] — x a ' b 1S negative, the data 
are discarded, leading to a zero contribution of the corre- 
sponding effective binary channel to the overall key rate. 
Th e expressions for \ a ' b have bee n calculated analytically 
in (jHeid and Lutkenhausl l2"o"07ri . which is possible since 
now the conditional states of Eve, as calculated from the 
purification of pab, are now at most of rank four. Several 
scenarios have been considered there, but the one that is 
of highest interest is the combination of post-selection 
with reverse reconciliation. The explicit expressions are 
omitted here, as they do not give additional insight. The 
evaluations of the overall key rate 



VI. DISTRIBUTED-PHASE-REFERENCE PROTOCOLS 



A. Status of security proofs 



As we said in Sec. III. D. 41 distributed-phase-reference 
protocols were invented by experimentalists, looking for 
practical solutions. Only later it was noticed that these 
protocols, in addition to be practical, may even yield bet- 
ter rates than the traditional discrete-variable protocols, 
i.e. rates comparable to those of decoy-states implemen- 
tations. The reason is that the P NS attacks are no longer 
zero-error atta cks both for DPS dlnoue and Honiol.l2005| ) 
and for COW (|Gisin et all |2004 IStucki et all teOOSl Tln 
fact, the number of photons in a given pulse and the 
phase coherence between pulses are incompatible phys- 
ical quantities. At the moment of writing, no lower 
bound is known for the unconditional security of DPS or 
COW, but several restricted attacks have been studied 



dBranciard et al , 12007 : iBranciard. Gisin and Scarani 
20081: ICurtv et all 120071: ICurtv. Tamaki and Moroder 



2008; Gomez- Sousa and Curtv 120091; iTsurumaruL 12007: 
Waks. Takesue and Yamamotol . |2006|) . In these stud- 
ies, it has also been noticed that DPS and especially 
COW can be modified in a way that does not make 
them more complicated, but m a y mak e them more robust 
( Branciard. Gisin and Scaranil . [2008) . Since this point 



has not been fully developed though, we restrict our at- 
tention to the original version of these protocols. 



B. Bounds for DPS and COW 

1. Collective beam-splitting attack 

We present the calculation of the simplest zero- 
error collective attack, namely the be am-splitting attack 
(jBranciard. Gisin and Scaranil . I2008T ). For both DPS 
and COW, Alice prepares a sequence of coherent states 
®fc l a (^)) : eacn &(k) is chosen in {+a, —a} for DPS, in 
{+a, 0} for COW. Eve simulates the losses with a beam- 
splitter, keeps a fraction of the signal and sends the re- 
maining fraction r = ttBt] to Bob on a lossless line - 
note that, although this security study does not provide 
a lower bound, we work in the uncalibrated-device sce- 
nario for the sake of comparison with the other protocols. 
Bob receives the state (££) fe \a(k)y/r): in particular, Bob's 
optical mode is not modified, i.e. BSA introduces no er- 



ror 63 . Eve's state is (^) fe \a(k)y/l — r); let us introduce 
the notations cue — otyl — r and 



e -\<x B r = e -M(i-r) 



(72) 



K = R J dadb AI(a, b) 



is then done numerically. 



63 Apart from BSA, other attacks exist that do not introduce errors: 
(71) for instance, photon-number-splitting attacks over the whole key, 

preserving the coherence (these are hard to parametrize and have 
never been studied in detail). For COW, there exist also attacks 
based on unambiguous state discrimination (Branciar d et all 
l2007f) . 
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When Bob announces a detection involving pulses k — 1 
and k, Eve tries to learn the value of his bit by looking 
at her systems. Assuming that each bit value is equally 
probable, Eve's information is given by Ievc — S{pe) — 
\,S(p E \o) - \S(p E \i) with p E = ±p E \o + \pe\i- 

The information available to Eve differs for the two 
protocols, because of the different coding of the bits. 
In DPS, the bit is when a(k — 1) = a(k) and is 1 
when a(k — 1) = — a{k). So, writing the projector 
on \tp), the state of two consecutive pulses reads p E \o = 

,+aE %P—otE r ft E and Pe\1 2^+ q s,-oe 

T;P- aE: + aE ; therefore, noticing that |(+o:.e| — o:e)\ = r y 2 , 
we obtain 

Ie%%W = 2M(l- 7 2 )/2]-M(l-7 4 )/2] (73) 
where h is the binary entropy function, and 

K{p) = vs (1-e-^) [l-lE F Bs{ri] • (74) 

In COW, the bit is when a(k - 1) = y/JI,a(k) = 
and is 1 when a(k — 1) = , a{k) = ,/Ti; so, with similar 
notations as above, pe\o = P+a E ,o an d Pe\i = Po,+a E l 
therefore, noticing that |(+ae|0)| = 7, we obtain 



Ie°bs(m) = M(l-7)/2]- 



(75) 



The secret key rate is given by 

K(p) = us {l-e~^) [1-I C eTs^)] (76) 

where i>s = vs ^2 because the fraction / of decoy se- 
quences does not contribute to the raw key, and half of 
the remaining pulses are empty. 

2. More sophisticated attacks 

For the purpose of comparison with other protocols 
later in this review, it is useful to move away from the 
strictly zero-error attacks. As mentioned above, several 
examples of more sophisticated attacks have indeed been 
found. Instead of looking for the exact optimum among 
those attacks, we prefer to keep the discussion simple, 
bearing in mind that all available bounds are to be re- 
placed one day by unconditional security proofs. 

We consider attacks i n which Eve interacts coher- 
ently with pairs of pulses ( Branciard. Gisin and Scaranil 
2008). Upper bounds have been provided in the limit 
/if < 1 of not-too-short distances. Even within this 
family, a simple formula is available only for COW. For 
COW, there is no a priori relation between the error on 
the key e and the visibility V observed on the interferom- 
eter. If <i = 2y/V(l - V), one finds I^ ow (p) = 1: 
p is too large and no security is possible. If on the con- 
trary e~ M > £, the best attack in the family yields 



with F v (p) = (2V - l)e-f* - - e^ . Therefore 

K(p) = R [1 - 1% ow (p) - leaWQ)] (78) 

where the value of R is constrained by the definition of 
the attack to be vs[pttBf] + 2pd\. 

As for DPS, numerical estimates show that its ro- 
bustness under the same family of attacks is very sim- 
ilar (slightly better) than the one of COW. Therefore, 
we shall use (|75|) as an estimate of the performances of 
distributed-phase-reference protocols in the presence of 
errors; again, for the sake of comparison with the other 
protocols, we have adopted the uncalibrated-device sce- 
nario here 64 . 



VII. COMPARISON OF EXPERIMENTAL PLATFORMS 

A. Generalities 

After having presented the various forms that practi- 
cal QKD can take, it is legitimate to try and draw some 
comparison. If one would dispose of unlimited financial 
means and manpower, then obviously the best platform 
would just be the one that maximizes the secret key rate 
K for the desired distance. A choice in the real world 
will obviously put other parameters in the balance, like 
simplicity, stability, cost... Some partial comparisons are 
available in the literature; but, to our knowledge, this is 
the first systematic attempt of comparing all the most 
meaningful platforms of practical QKD. Of course, any 
attempt of putting all platforms on equal footing con- 
tains elements of arbitrariness, which we shall discuss. 
Also, we are bounded by the state-of-the-art, both con- 
cerning the performance of the devices and the develop- 
ment of the security proofs, as largely discussed in the 
previous sections. We have chosen to compare the best 
available bounds, which however do not correspond to the 
same degree of security: for the implementations of the 
BB84 coding, we have bounds for unconditional security; 
for continuous variable systems, we have security against 
collective attacks; for the new protocols like COW and 
DPS, we have security only against specific families of 
attacks. Also, one must be reminded that all security 
proofs hold under some assumptions: these have been 
discussed in Sections IIV1 IVl and IVII it is crucial to check 
if they apply correctly to any given implementation. 



I% uw {p) = e + (l-e)h 



l + F v {p) 



(77) 



64 For the family of attacks under study, the rate scales linearly 
with the losses, therefore the difference between calibrated and 
uncalibrated devices is only due to the dark counts. We have to 
warn that the attacks based on unambiguous state discrimina- 
tion, which have been studied explicitly for calibrated devices 
dBranc iard et a/., 2007|), are expected to become significantly 
more critical in the uncalibrated-device scenario. However, this 
more complex family of attacks can be further restricted by a 
careful statistical analysis of the data: we can therefore leave it 
out of our analysis, which is anyway very partial. 
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As stressed many times, the security of a given QKD 
realization must be assessed using measured values. Here, 
we have to present some a priori estimates: they neces- 
sarily involve choices, which have some degree of arbi- 
trariness. The first step is to provide a model for the 
channel: the one that we give (|VII.A.1|) corresponds well 
to what is observed in all experiments and is therefore 
rather universally accepted as an a priori model. At the 
risk of being redundant, we stress that the actual realiza- 
tion of this specific channel is not a condition for security: 
Eve might realize a completely different channel, and the 
general formulas for security apply to any case 65 . Once 
the model of the channel accepted, one still has to choose 
the numerical values for all the parameters. 



1. Model for the source and channel 

We assume that the detection rates are those that are 
expected in the absence of Eve, given the source and 
the distance between Alice and Bob. As for the error 
rates, we consider a depolarizing channel with visibility 
V . For an a priori choice, the modeling of the channel 
just sketched is rather universally accepted. In detail, it 
gives the following: 

Discrete-variable protocols, P&M. We consider imple- 
mentations of the BB84 coding. The rate is estimated by 
R = v s [V + 'Pd] with V = En>iPA(n)[l - (1 - tt B v) n ] 
and V d = 2pdI] n >o^( n )( 1 ~ tt B ri) n - The error rate 
in the channel is e = (1 — V)/2, so the expected er- 
ror rate is Q — \eV + Vd/2]/(R/i'g). For weak coher- 
ent pulses without decoy states, pa(X) — e~ M /i, pA(n > 
2) = 1 — e~ M (l + /i), and we optimize K, given by (|3"Tj) . 
over /i. For weak coherent pulses with decoy states, we 
consider an implementation in which one value of fi is 
used almost always, while sufficiently many others are 
used, so that all the parameters are exactly evaluated. 
The statistics of the source are as above; Y$ is estimated 
by v s 2p d p A (0) I R, Yi by D s PA{^)tt B ri/ R, and we opti- 
mize K given by (|34[) over fi. For perfect single-photon 
sources, PaO-) — 1 and £u(n > 2) = 0; we just compute 
(f3"Tj) . as there is nothing to optimize. 

Discrete-variable protocols, EB. Again, we consider 
implementations of the BB84 coding. Since most of 
the experiments have been performed using cw-pumped 
sources, we shall restrict to this case 66 . For such sources, 



the probability of having multiple pairs is £ = with 
good precision, therefore the bounds (|12"|) and (|4*5|) for 
K are identical. K will be optimized over //, the mean 
pair-generation rate of the source. Note that given 



65 The attacks we studied against DPS and COW, Section |VT] do 
suppose a model of the channel. This is a signature of the incom- 
pleteness of such studies. Security can be guaranteed by adding 
that, if the channel deviates from the expected one, the protocol 
is aborted. A full assessment of the channel, of course, requires 
additional tests: the fact that data can be reproduced by a chan- 
nel model does not imply that the channel model is correct (for 
instance, in weak coherent pulses implementations of BB84 with- 
out decoy states, the observed parameters are compatible both 
with a BS and a PNS attack). 

66 Pulsed sources can be treated in a similar way. For short pulse 



by Eq. (|20|) depends on fj,'; given this, one has ^(1) ~ 1 
and pa(2) « fjf At if //At <C 1: indeed, neglecting dark 
counts, whenever any of Alice's detectors fires there is 
at least one photon going to Bob; and the probability 
that another pair appears during the coincidence win- 
dow At is approximately //At. The total expected error 
isQ = [(e + e')r + V d /2}/(R/D s ), where e = (l-F)/2as 

above and s' w is the error rate due to double-pair 
events. 

Continuous-variable protocols. We consider the proto- 
col that uses coherent states with Gaussian modulation, 
and compute the best available bound ([55]) . which give 
security against collective attacks. The reference beam 
is supposed to be so intense, that there is always a signal 
arriving at the homodyne detection, so R = v$- The er- 
ror is modeled by (f58|) . Now, just as for discrete variable 
protocols one can optimize K over the mean number of 
photons (or of pairs) fi for each distance, here one can 
optimize K over the variance v of the modulation. Note 
that this optimization outputs rather demanding values, 
so that only recently it has become possible to implement 
them in practice, tha nks to the latest devel opments in er- 
ror correction codes ( Leverrier et aLl . l2008l ). 

Distributed-phase-reference protocols. As mentioned, 
apart from the errorless simple formula exists only 

for COW, which moreover is valid only at not too short 
distances. We use this bound to represent distributed- 
phase reference protocols in this comparison, keeping in 
mind that DPS performs slightly better, but that any- 
way only upper bounds are available. Specifically, we 
have R ~ vs^ttBTj + 2pd\] we optimize then K(fi) given 
by ([75)1 over fx, and keep the value only if [i op tt < 0.1. 
The expected error rate is formally the same as for P&M 
BB84; recall however that here the bit-error e is not re- 
lated to the visibility of the channel and must be chosen 
independently. 



2. Choice of the parameters 

We shall use two sets of parameters (Table UlT) : set #1 
corresponds to today's state-of-the-art, while set #2 re- 
flects a more optimistic but not unrealistic development. 
Moreover, we make the following choices: 



schemes, one would have pa(X) ~ A* an d Pa(2) ~ jfJ. 2 if <C 1; 
for long-pulse pumping, the statistics of pairs is approximately 
Poissonian: PaW ~ H an d Pa(2) ~ /J 2 /2 if fi < 1 and the 
most of the multi-pair events are uncorrelatcd. In both cases, 
the intrinsic error rate due to double-pair events is e! ~ /J./ 2 
(Eiscnbcrg et al. 1, 12004 IS car am et al.l , 12005 1). Note that the pa- 
rameter £ may be different from in the case of short pulse 
schemes. 
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Platform 


Parameter 


Set #1 


Set #2 




fi mean intensity 


(opt.) 


(opt.) 




V visibility: P&M 


0.99 


0.99 




V visibility: EB 


0.96 


0.99 


BB84, 


tB transmission in Bob's device 


1 


1 


COW 


r\ det. efficiency 


0.1 


0.2 




Pd dark counts 


10~ 5 


nr 6 




e (COW) bit error 


0.03 


0.01 




( (EB) coherent 4 photons 










leak EC code 


1.2 


1 




v = va + 1 variance 


(opt.) 


(opt.) 




e optical noise 


0.005 


0.001 


CV 


r\ det. efficiency 


0.6 


0.85 




Vei electronic noise 


0.01 







(3 EC code 


0.9 


0.9 



TABLE II Parameters used for the a priori plots in this Sec- 
tion. See main text for notations and comments. The caption 
(opt.) means that the parameter will be varied as a function 
of the distance in order to optimize K. 



• Unless specified otherwise (see IVII.B.2j) . the plots 
use the formulas for the uncalibrated-device sce- 
nario. The reason for this choice is the same as dis- 
cussed in Sec. IIII.B.5I unconditional security has 
been proved only in this over-pessimistic scenario. 

• Since we are using formulas that are valid only in 
the asymptotic regime of infinitely long keys, we re- 
move the nuisance of sifting by allowing an asym- 
metric choice of bases or of quadratures. Specif- 
ically, this leads to vs = f° r both BB84 and 
continuous-variables. Similarly, for COW we can 
set / = 0, whence i>s — 

• For dcfinitcncss, we consider fiber-based implemen- 
tations; in particular, the relation between distance 
and transmission will be (fT7|) with a = 0.2dB/km; 
and the parameters for photon counters are given at 
telecom wavelengths (Table Hlj) . The reader must 
keep in mind that in free space implementations, 
where one can work with other frequencies, the 
rates and the achievable distance may be larger. 



Second, we have considered "steady-state" key rates, be- 
cause we have neglected the time needed for the classical 
post-processing; this supposes that the setup is stable 
enough to run in that regime (and it is fair to say that 
many of the existing platforms have not reached such a 
stage of stability yet). Third, the real performance is of 
course K: in particular, if some implementations have 
bottlenecks at the level of v$ (see llll.Al) . the order of the 
curves may change significantly. 
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B. Comparisons based on K 

1. All platforms on a plot 

As a first case study, we compare all the platforms on 
the basis by plotting Kjvs as a function of the transmit- 
tivity t of the channel. The result is shown in Fig. 2J As 
promised, we have to stress the elements of arbitrariness 
in this comparison (in addition to the choices discussed 
above). First of all, we recall that the curves do not 
correspond to the same degree of security (see IVII.AI) . 



FIG. 4 (Color online). Kfvs as a function of the transmit- 
tivity t, for all the platforms. Legend: 1-ph: perfect single- 
photon source, unconditional; WCP: weak coherent pulses 
without decoy states, unconditional; decoy: weak coherent 
pulses with decoy states, unconditional; EB: entanglement- 
based, unconditional; CV: continuous-variables with Gaus- 
sian modulation, security against collective attacks; COW: 
Coherent- One- Way, security against the restricted family of 
attacks described in Sec. IVI.B.2I Parameters from Table HT1 
set #1 upper graph, set #2 lower graph. 
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2. Upper bound incorporating the calibration of the devices 

As a second case study, we show the difference between 
the lower bounds derived in the uncalibrated-device sce- 
nario, and some upper bounds that incorporate the cali- 
bration of the devices. 

We focus first on BB84 implemented with weak coher- 
ent pulses; the upper bounds under study have been 
derived in Sec. IIV.CI The plots in Fig. [5] show how 
much one can hope to improve the unconditional security 
bounds from their present status. As expected, the plot 
confirms that basically no improvement is expected for 
implementations with decoy states, because there only 
the treatment of dark counts is different; while the bound 
for implementations without decoy states may still be the 
object of significant improvement. 



10 15 
t[dB] 

FIG. 5 (Color online). K/vs as a function of the transmission 
t for the P&M implementations of BB84 with weak coherent 
pulses: comparison between the lower bound (solid lines, same 
as in Fig. [4] upper graph) and the upper bound for calibrated 
devices (dashed lines) . Legend as in Fig. [4] Parameters from 
Table HIl set #1. 

We turn now to CV QKD with Gaussian modulation. 
Bounds for the security against collective attacks as- 
suming calibrated devices are given in Eqs (5)-(12) of 
( Lodewvck. Bloch et all 120071 ). The plots are shown in 
Fig. [6l One sees that the difference between the two 
scenarios is significant for set #1 of parameters, but is 
negligible for the more optimistic set #2. This is interest- 
ing, given that the efficiency rj of the detectors is "only" 
85% in set #2. 



C. Comparison based on the "cost of a linear network" 

We consider a linear chain of QKD devices, aimed at 
achieving a secret key rate .Ktarget over a distance L. 
Many devices can be put in parallel, and trusted repeater 
stations are built at the connecting points. Each individ- 
ual QKD device is characterized by the point-to-point 
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FIG. 6 (Color online) . K/us as a function of the transmission 
t for CV QKD with Gaussian modulation, security against 
collective attacks, comparison between the lower bound (solid 
lines, same as in Fig. [4} and the upper bound for calibrated 
devices (dashed lines) for both sets of parameters from Table 
Hi Compared to Fig. [4] the color of the lines of set #1 was 
changed for clarity. 



rate K(£) it can achieve as a function of the distance 



l K ta 



and by its cost C\. We need N 
achieve the goal, so the cost of the network is 



l K(i) 



devices to 



(17 



(79) 



The best platform is the one that minimizes this cost, 
i.e., the one that maximizes F(£) = £K(£). This quantity, 
normalized to i/g, is plotted in Fig. [7] as a function of the 
distance for both sets of parameters defined in Table [Til 
Of course, this comparison presents the same elements of 
arbitrariness as the previous one. 

The optimal distances are quite short, and this can be 
understood from a simple analytical argument. Indeed, 
typical behaviors are K{£) oc t (single-photon sources, at- 
tenuated lasers with decoy states, strong reference pulses) 
and K{£) oc t 2 (weak coherent pulses without decoy 
states). Using t = 10~" £ / 10 , it is easy to find £ opt which 
maximizes F(£): 



K{£) oc t k 



£ opt = 10/(/calnl0). 



In particular, for a rs 0.2dB/km, one has I, 



for k = 1 and 



•opt 



10km for k = 2. 



opt 



(80) 



20km 



In conclusion, our toy model suggests that, in a net- 
work environment, one might not be interested in push- 
ing the maximal distance of the devices; in particu- 
lar, detector saturation (which we neglected in the plots 



In this first t oy model, we neglect th e cost of the trusted repeater 
stations; see (All caumc for a more elaborated model. 
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above) may become the dominant problem instead of 
dark counts. 
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FIG. 7 (Color online). F/vs as a function of the distance I 
for all the platforms. Legend as in Fig. [4] Parameters from 
Table |nl set #1 upper graph, set #2 lower graph. 



VIII. PERSPECTIVES 

A. Perspectives within QKD 

1. Finite-key analysis 

As stressed, all the security bounds presented in this 
review are valid only in the asymptotic limit of in- 
finitely long keys. Proofs of security for finite-length 
keys are obviously a crucial tool for practical QKD. 
The estimate of finite-key effects, unfortunately, has 
received v ery limited attention so far. The pioneer- 
ing works (llnamori. Liitkenhaus and Mavera . 2001-2007; 
Mayers, 1996), as well as some subsequent ones (jHavashil 



120061: 1 Watanabe et all [2001 . have used non-composable 
definitions of security (see III.C.2[) . This is a problem 
because the security of a finite key is never perfect, so 
one needs to know how it composes with other tasks. 
Others studied a new formalism but fai led to prove 
unconditional security (M ever et all l2006f) . The most 
recent works comply with the r equirements ( HavashH . 
l2007at IScarani and Rennerj . |2008( ); finite statistics have 
been incorporat e d in the analysis of an experiment 
(jHasegawa et all , l2007r i. Without going into details, all 
these works estimate that no key can be extracted if fewer 
than N as 10 5 signals are exchanged. 



2. Open issues in unconditional security 

We have said above that, for CV QKD and distributed- 
phase reference protocols, no unconditional security 
proof is available yet. However, there is an important 
difference between these cases. In the existing CV QKD 
protocols, the information is coded in independent sig- 
nals; as such, it is believed that unconditional security 
proofs can be built as generalizations of the existing ones 
(see also Note added in proof below). On the contrary, 
the impossibility of identifying signals with qubits in 
distributed-phase reference protocols will require a com- 
pletely different approach, which nobody has been able 
to devise at the moment of writing. 

As explained in Sec. IIII.B.51 all unconditional secu- 
rity proofs have been derived under the over-conservative 
assumption of uncalibrated devices. Ideally, such an as- 
sumption should be removed: one should work out un- 
conditional security proofs taking into account the knowl- 
edge about the detectors; this would lead to better rates. 
A possible solution consists in including the calibration of 
the devices in the protocol itself; t he price to pay seems 
to be a complication of the setup ( Qi et all [2007). The 
idea is somehow similar to the one used in decoy states. 
We also discussed how calibrated-device proofs may ul- 
timately provide significant improvement only for some 
protocols (see lVII.B.2p . The difference between protocols 
can be understood from the fact that typically K ~ t a 
where t is the transmittance and a > 1. When a = 1, 
then the only advantage of calibrating the devices can 
come from the dark count contribution. If on the con- 
trary a > 1 (weak coherent pulses without decoy states: 
a = 2 for BB84, a = § for SARG04), then the differ- 
ence is much larger, because it matters whether tsT] is 
included in the losses or not. The urgency of this rather 
ungrateful 68 task is therefore relative to the choice of a 



68 Here is an example of the complications that might appear. 
When taking the calibration into account, it is often assumed 
that the dark counts do not enter in Eve's information. Actu- 
ally, things are more subtle. On the one hand, most of the dark 
counts will actually decrease Eve's information, because she does 
not know if a detection is due to the physical signal (on which she 
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protocol. 



3. Black-box security proofs 

The development of commercial QKD systems makes 
it natural to ask whether the "quantumness" of such de- 
vices can be proved in a black-box approach. Of course, 
the compulsory requirements (jll.C.lj) must hold. For in- 
stance, the random number generator cannot be within 
the black box, because it must be trusted; one must also 
make sure that no output port is diffusing the keys on the 
internet; and so on. Remarkably though, all the quan- 
tum part can in principle be kept in a black-box. The 
idea is bas i cally the one that triggered Ekert's discov- 
ery (jEkertl . Il99ll ). although Ekert himself did not push 
it that far: the fact, that Alice and Bob observe correla- 
tions that violate a Bell inequality, is enough to guarantee 
entanglement, independent of the nature of the quantum 
signals and even of the measurements that are performed 
on them. This has been called "device-independent se- 
curity"; a quantitative bound was computed for collec- 
tive attacks on a modification of Ekert's protocol, the 
goal of prov i ng un conditional security is still unattained 
( Acm et "ail . 120071 ). Device- independent security can be 
proved only for entanglement-based schemes: for this def- 
inition of security, the equivalence EB-P&M presented in 
Sec. III. B. 21 does not hold. As long as the detection loop- 
hole is open, these security proofs cannot be applied to 
any system; but by re-introducing some knowledge of the 
devices, they might provide a good tool for disposing of 
all quantum side-channels (|III.B.4[) . 



4. Toward longer distances: satellites and repeaters 

The attempt of achieving efficient QKD over long 
distances is triggering the most ambitious experimen- 
tal developments. Basically two solutions are be- 
ing envisaged. The first is to use the techniques of 
free space quant um communication to realize qround- 
to-satellite links (lAspelmever et al. , 2003|; iButtler et all 
119981 : iRaritv et all l2002jT The main challenges are tech- 
nical: to adapt the existing optical tracking techniques 
to the needs of quantum communication, and to build 
devices that can operate in a satellite without need of 
maintenance. 

The secon d sol ution are quan tum repeaters 

(|Briegel et all Il998t iDiir et all . 1 19991) . The basic 



has gained some information) or is a completely random event. 
On the other hand, if a detection happens shortly after a previous 
one, Eve may guess that the second event is in fact a dark count 
triggered by an afterpulse, and therefore learn some correlations 
between the two results. Admittedly, these are fine-tuning cor- 
rections, and have never been fully discussed in the literature; but 
if one wants to prove unconditional security, also these marginal 
issues must be properly addressed. 



idea is the following: the link A-B is cut in segments 
A-Ci, C1-C2, C„-B. On each segment independently, 
the two partners exchange pairs of entangled photons, 
which may of course be lost; but whenever both partners 
receive the photon, they store it in a quantum memory. 
As soon as there is an entangled pair on each link, the 
intermediate stations perform a Bell measurement, thus 
ultimately swapping all the entanglement into A-B. 
Actually, variations o f this basic scheme may be more 
practical (jDuan et all , l200ll ). Whatever the exact im- 
plementation, the advantage is clear: one does not have 
to ensure that all the links are active simultaneously; 
but the advantage can only be achieved if quantum 
memories are available. The experimental research in 
quantum memories has boosted over the last years, but 
the applications in practical QKD are still far away 
because the requirements are challenging (see Appendix 

Teleportation-based links have been studied also in 
the absence of quantum memories (quantum relays). 
They are rather inefficient, but allow to reduce the nui- 
sance of the da rk counts and therefore increase the lim- 
iting distance (ICollins. Gisin and de Riedmattenl . 120051 : 



I Jacobs. Pittman and Fransonl 2002h ; however, it seems 
simpler and more cost-effective to solve the same prob- 
lem by using cryogenic detectors (see III.GI) . 



5. QKD in networks 

QKD is a point-to-point link between two users. But 
only a tiny fraction of all communication is done in ded- 
icated point-to-point links, most communication takes 
place in networks, where many users are interconnected. 
Note that one-to-many connectivity between Q KD de- 
vices can be obtained with optical switching ( Elliotd . 
120021 : lElliott et all , 120051: iTownsend etai\ . \l994i . 

In all models of QKD networks, the nodes are operated 
by authorized partners, while Eve can eavesdrop on all 
the links. If the network is built with quantum repeaters 
or quantum relays, no secret information is available to 
the nodes: indeed, the role of these nodes is to perform 
entanglement swapping, so that Alice and Bob end up 
with a maximally entangled — therefore fully private 
— state. Since quantum repeaters are still a challenge, 
trusted relays QKD networks have been considered. In 
this case, the nodes learn secret information during the 
protocol. In the simplest model, a QKD key is created be- 
tween two consecutive nodes and a message is encrypted 
and decrypted hop-by-hop. This model has been adopted 
by BBN Technologies and by the SECOQC QKD 
netw o rks (lAlleaume et all, 120071: IDianati and Alleaumg . 



2006; IDianati et all 12008: Elliott, 2002; Elliot t et al. 



20051 ). Alternatively, the trusted relays can perform an 



intercept-resend chain at the level of the quantu m signal 
( Bechmann-Pasquinucci and Pasquinuccil . I2005T ) . 
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B. QKD versus other solutions 

Information-theoretically (unconditionally) secure key 
distribution (key agreement), is a cryptographic task 
that, as is well known, cannot be solved by public com- 
munication alone, i.e. without employing additional re- 
sources or relying on additional assumptions. Besides 
QKD, the additional resource in this case being the 
quantum channel, a number of alternative schemes to 
this end have been put forward (lAhlswede and Csiszari 
Csiszar and Kornerl . Il978t iMaurerL Il993t IWvnerl . 



1993 



19751 ) , to which on e can also count the tr aditional trusted 



courier approach ( Alleaume et all [20071 ). While the lat- 
ter is still used in certain high security environments, 
QKD is the sole automatic, practically feasible and ef- 
ficient information-theoretically secure key agreement 
technology, whereby in the point-to-point setting, lim- 
itations of distance and related key rate apply. These 
limitations can be lifted by using QKD networks, see 
IVIII.AI 

With this in mind, we address below typical secure 
communication solutions in order to relate this subse- 
quently to the assets offered by QKD. Secure commu- 
nication in general requires encrypted (and authentic) 
transition of communication data. In current standard 
cryptographic practice both the encryption schemes and 
the key agreement protocols used (whenever needed) are 
not unconditionally secure. While there is really a very 
broad range of possible alternatives and combinations, 
the most typical pattern for confidential communica- 
tion is the following: public key exchange protocols are 
used to ensure agreement of two identical keys; the en- 
cryption itself is done using symmetric-key algorithms. 
In particular, most often some realizat i on of the Diffie- 
Hellman algorithm ( Diffie and Hellmanl . [l976) is used in 
the key agreement phase. The symmetric-encryption al- 
gorithms most widely used today belong to the bloc- 
ciphe r class a nd are typically 3DES (ICoppersmith et all , 
ll996l )or AES (|Daemen and Riimenl . l200ll ). 

The security of the Difhe-Hellman algorithm is based 
on the assumption that the so called Diffie-Hcllman prob- 
lem is hard to solve, the complexity of this problem being 
ultimately related to the hardness of the dis c rete l oga- 
rithm problem (see (jMaurer and WolJ . Il999l |2000| ) for 
a detailed discussion). It is widely believed, although 
it was never proven, that the discrete logarithm prob- 
lem is classically hard to solve. This is not true in the 
quantum case, since a quantum computer, if available, 
can exec ute a correspondi ng efficient algorithm by Pe- 
ter Shor (jShorl . 1 19941 . 1 19971 ) . which is based on the same 
fundamental approach as is the Shor factoring algorithm, 
already mentioned in Sec. II. Al 

It should be further noted that that, similar to QKD, 
the Diffie-Hcllman protocol can trivially be broken, if 
the authenticity of the communication channel is not 
ensured. There are many means to guarantee commu- 
nication authenticity with different degrees of security 
but in any case additional resources are needed. In cur- 



rent common practice public key infrastructures are em- 
ployed, which in turn rely on public-key cryptographic 
primitives (digital signatures), i.e. rely on similar as- 
sumptions as for the Diffie-Hcllman protocol itself, and 
on trust in external certifying entities. 

Turning now to encryption it should be underlined that 
the security of a block-cipher algorithm is based on the 
assumption that it has no structural weaknesses, i.e. that 
only a brute force attack amounting to a thorough search 
of the key space (utilizing pairs of cipher texts and corre- 
sponding known or even chosen plain texts) can actually 
reveal the secret key. The cost of such an attack on a 
classical computer is O(N) operations, where N is the 
dimension of the key space. The speed-up of a quan- 
tum computer in this case is moderate, the total number 
of operatio ns to be performed being 0(y/~N) (jGroverl 
Il996l Il997f ). The assumption on the lack of structural 
weaknesses itself is not related to any particular class of 
mathematical problems and in the end relies merely on 
the fact that such a weakness is not (yet) known. Cryp- 
tographic practice suggests that for a block-cipher algo- 
rithm such weaknesses are in fact discovered at the latest 
a few decades after its introduction 69 . 

Before turning to a direct comparison of the described 
class of secure communication schemes with QKD-based 
solutions, it should be explained why public-key based 
generation combined with symmetric-key encryption is 
actually the most proliferated solution. The reason is 
that currently AES or 3DES encryption, in contrast to 
direct public-key (asymmetric) encryption, can ensure a 
high encryption speed and appears optimal in this re- 
spect. Typically high speed is achieved by designing ded- 
icated hardware devices, which can perform encryption 
at very high rate and ensure a secure throughput of up 
to 10Gb per second. Such devices are offered by an in- 
creasing number of producers (see e.g. ATMedia GmbH, 
www.atmedia.de) and it is beyond the scope of the cur- 
rent article to address these in any detail. We would like 
however to underline an important side- aspect. In gen- 
eral, security of encryption in the described scenario is 
increased by changing the key often, the rate of change 
being proportional to the dimension of the key space. In 
practice, however, even in the high speed case, the key 
is changed at a rate lower than once per minute (often 
once per day or even more seldom). The reason for this 
is twofold: on the one hand public key agreement algo- 
rithms are generally slow and on the other, and more 
importantly, current design of the mentioned dedicated 
encryption devices is not compatible with a rapid key 
change. 

The question now is how QKD compares with the stan- 
dard practice as outlined above. It is often argued that 
QKD is too slow for practical uses and that the limited 
distance due to the losses is a limitation to the system as 



69 Vincent Rijmen, private communication. 
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such. In order to allow for a correct comparison one has 
to define the relevant secure communication scenarios. 
There are two basic possibilities: (i) QKD is used in con- 
junction with One-Time Pad, (ii) QKD is used together 
with some high speed encryptor (we note in passing that 
the second scenario appears to be a main target for the 
few QKD producers). 

The rate as a function of distance has been discussed in 
detail in the preceding sections. Here we shall consider an 
average modern QKD device operating in the range of 1 
to 10kbps over 25 km; the maximal distance of operation 
at above 100 bps being around 100 km. 

Case (i) obviously offers information-theoretic security 
of communication if the classical channel, both in the 
key generation and the encryption phase, is addition- 
ally authenticated with the same degree of security. As 
this overhead to this end is negligible the QKD genera- 
tion rates as presented above are also the rates for se- 
cure communication. Obviously this is not sufficient for 
broad-band data transmission but pretty adequate for 
communicating very-highly sensitive data. Another ad- 
vantage of this combination is the fact that keys can be 
stored for later use. 

The security of the case (ii) is equivalent to the security 
of the high speed encryption, which we addressed above, 
while all treats related to the key generation-phase are 
eliminated. At 25 km the QKD speed would allow key 
refreshment (e.g. in the case of AES with 256 bit key 
length) of several times per second. This is remarkable 
for two reasons: first, this is on or rather beyond the 
key-exchange capacity of current high speed encryptors; 
second, it compares also to the performances of high level 
classical link encryptors, which refresh AES keys a few 
times per second using Diffie-Hellman elliptic curve cryp- 
tography for key generation. 

So in the second scenario QKD over performs the stan- 
dard solution at 25 km distance both in terms of speed 
and security. 

Regarding the distance an interesting point is that clas- 
sical high-end encryptors use direct dark fibers, not for 
reasons related to security but for achieving maximal 
speed, which also gives them a limitation in distance. 
However, classical key generation performed in software 
is naturally not bounded by the distance. In this sense 
standard public-key based key agreement appears supe- 
rior. This is however a QKD limitation, which is typical 
for the point-to-point regime. As mentioned above, it is 
lifted in QKD networks. 



Note added in proof 

While this paper was being finalized, three groups have 
independently claimed to have solved one of the pend- 
ing issues toward unconditional security proofs of CV 
QKD (see Sec. IV. A|) : namely, the fact that the security 
bound for collective and for general attacks should coin- 
cide asymptotically. On the one hand, a new exponential 



de Finetti theorem has been presented, which would ap- 
ply to infinite-dimensional systems u nder some assump- 
tions that are fulfilled in CV QKD (|Renner and Cirad . 
120091 ; ?). A different argument reaches the same con- 
clusion wit hout any need for a de Finetti-type theorem 
altogether ( Leverrier. Karpov. Grangier and CerJ . l2008t) . 
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APPENDIX A: Unconditional security bounds for BB84 
and six-states, single-qubit signals 

In this Appendix, we present a deriv ation of the uncon- 
dition al security bounds for the BB84 |Shor and Preskiil 
I2000D and the six-state protocol (Lo, 200 1|) for the case 
where each quantum signal is a single qubit, or more 
generally when the quantum channel is a qubit channel 
followed by a qubit detection 70 . 

As usual, the proof is done in the EB scheme, the 
application to the P&M case following immediately as 
discussed in Sec. III. B. 21 Alice produces the state 
|$+) = ^(|00> + |11)), she keeps the first qubit and 
sends the other one to Bob. This state is such that 

+1 (perfectly correlated out- 



comes) and (a v <g> a y ) = — 1 (perfectly anti-correlated 
outcomes); to have perfect correlation in all three bases, 
Bob flips his result when he measures o~ y . We suppose 
an asymmetric implementation of the protocols: the key 
is extracted only from the measurements in the Z basis, 
which is used almost always; the other measurements are 
used to estimate Eve's knowledge on the Z basis, and 



70 For real optical channels, we assume therefore the tagging 
method for real sources and the squashing model for the de- 



tection, see lIV.A.2l 
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will be used on a negligible sample (recall that we work 
in the asymptotic regime of infinitely long keys). 

Now we follow the tech niques 

of dKraus. Gisin and Rennerl . 120051 : 

iRenner. Gisin and KrausT " 20051 ). Without loss of 
generality, the symmetries of the BB84 and the six-state 
protocols 71 imply that one can compute the bound by 
restricting to collective attacks, and even further, to 
those collective attacks such that the final state of Alice 
and Bob is Bell-diagonal: 



PAB = Ai|$+)<$+|+A 2 |$-)($-| 
+A 3 |tf + )(tf+| + A 4 |*->(*- 



(Al) 



with Y^,i^i = 1- Since l^*) give perfect correlations in 
the Z basis, while ) give perfect anti-correlations, the 
QBER e z is given by 



e z — A 3 + A 4 . 
The error rates in the other bases are 



Ex — A2 + A4 



Ey — A2 + A3 



(A2) 



(A3) 



Eve's information is given by the Holevo bound ([24]) 
Ie = S(pe)—^S(p e \ )—^S(pe\i) since both values of the 
bit are equiprobable in this attack. Since Eve has a purifi- 
cation of pab, S(p E ) = S{pab) = H ({Ai, A 2 , A 3 , A 4 }) = 
H(X) where H is Shannon entropy. The computation of 
PE\b is made in two steps. First, one writes down ex- 



plicitly the purification 7 



ABE 



AB I 



where we used an obvious change of notation for the 
Bell states, and where (e^e.,) = 5^j. Then, one traces 
out Bob and projects Alice on | + z) for b = 0, on 
I — z) for 6=1. All calculations done, the result is 
S(Pe\o) = S(pe\i) = h(e z ). So we have obtained 



I E (X) = H(X) — h(e z ) . 



(A4) 



Now we have to particularize to the two protocols under 
study. 

Let's start with the six-state protocol. In this case, 
both e x and e y are measured, so all the four A's are di- 
rectly determined. After easy algebra, one finds 



Ie{§) = E z h 



1 + (e x - e y )/e z 



-(l-Ez)h 



l-(e x +e y +e z )/2 



l-e 2 



(A5) 



71 Actually, a lower bound can be computed in the same way for 
a very general class of protocols; but i t may not be tight, as 
explicitly found in the case of SAR G04 feranciard et ad |2005| ; 
Kraus, Branciard and Rentier, 2007). 

72 All purifications are equivalent under a local unitary operation 
on Eve's system, so Eve's information does not change with the 
choice of the purification. 



Under the usual assumption of a depolarizing channel, 
e x = E y = e z — Q, this becomes 



Ie{Q) = Q + (l-Q)h 



1 - 3Q/2 



1 



(A6) 



The corresponding secret fraction (one-way post- 
processing, no pre-processing and perfect error correc- 
tion) is r = 1 — h(Q) — Ie(Q), which goes to for 
Q fa 12.61%. 

The calculation is slightly more complicated for BB84, 
because there only e x is measured; therefore, there is still 
a free parameter, which must be chosen as to maximize 
Eve's information. The simplest way of performing this 
calculation consists in writing Ai = (1 — s z )(l — u), X2 = 
(1 — e z )u, A3 = e z (l — v), A4 = e z v, where u,v £ [0,1] 
are submitted to the additional constraint 



(1 - e z )u + e z v 



(A7) 



Under this parametrization, H (A) = h(e z )+(l— e z )h(u) 
e z h(v) and consequently 



IeQO = (l~e z )h(u) + s z h(v) 



(A8) 



to be maximized under the constraint (|A7[) . This can be 
done easily by inserting v = v(u) and taking the deriva- 
tive with respect to u. The result is that the optimal 
choice is u = v = e x so that 



I E (e) = h{e x ). 



(A9) 



The usual case is e x = e z = Q, which however here does 
not correspond to the depolarizing channel: the relations 
above imply e y = 2Q(1 — Q), which corresponds to the 
applica tion of the so-call e d "phase-covarian t cloni ng ma- 
chine" (iBrufiet all 12005 iGriffiths and Niul . I1997D . The 
corresponding secret fraction (again for one-way post- 
processing, no pre-processing and perfect error correc- 
tion) is r = 1 — h(Q) — Ie(Q), which goes to for 
Q«ll%. 



APPENDIX B: Elementary estimates for quantum 
repeaters 

1. Quantum memories 

A quantum memory is a device that can store an 
incoming quantum state (typically, of light) and re- 
emit it on demand without loss of coherence. A 
full review of the research in quantum memories is 
clearly beyond our scope. Experiments are being pur- 
sued using s evera l techniques, lik e atom ic ensembles 
' Chou et all l2007t lJulsgaard et all . I2004D. NV centers 



.Childress et al. .120061). d oped crystals (| Alexander et all 
120061 : IStaudt et aLl . l2007h . 



Two characteristics of quantum memories are espe- 
cially relevant for quantum repeaters. A memory is called 
multimode if it can store several light modes and one 
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0< 

A 



B 




elements). The memory has a typical time Tm, 
that we shall consider as a life-time 73 . 



• Bell measurement: linear optics, i.e. probability 
of success -j. Fidelity F, depolarized noise (i.e. a 
detection comes from the desired Bell state with 
probability F, from any of the others with equal 
probability (1 — F)/3). The detectors have effi- 
ciency rjM and no dark counts. 




M 



CI 



D 



C2 



B 



FIG. 8 Three configurations for quantum repeaters: direct 
link, two-link repeater and four-link repeater. 



can select which m ode to re-emi t ' mul timode memories 
are being realized ( Simon et al\ . I20Q7I ) . A memory is 
called heralded if its status (loaded or not loaded) can 
be learned without perturbation; there is no proposal 
to date on how to realize such a memory, and repeater 
schemes h ave been found th at work without heralded 
memories (|Duan et aLl . l200ll ). 



2. Model of quantum repeater 

Here we present a rapid comparison of the direct link 
with the two-link repeater and discuss the advantages and 
problems that arise in more complex repeaters. We con- 
sider the architectu re sketched i n Fig. [8j corresponding 
to the original idea ( Briegel et ali , ll998l T 



a. Definition of the model 

Our elementary model is described as follows: 

• Source: perfect two-photon source with repetition 
rate us; 

• Quantum channel: the total distance between Alice 
and Bob is I. The channel is noiseless; its losses 
characterized by a, we denote t — lCP"^/ 10 the 
total transmittivity. 

• Detectors of Alice and Bob: efficiency r\; neglected 
dark counts, dead-time and other nuisances. 

• Quantum memories: multimode memories that can 
store N modes. We write pu the probability that 
a photon is absorbed, then re-emitted on demand 
(contains all the losses due to coupling with other 



b. Detection rates 

For the direct link, the key rate is just the detection 
rate in our simplified model: 



K x =Ri 



ustrj 



(Bl) 



In the two-link repeater, the central station (Christoph) 
holds the two sources and the memories. Consider one 
of the links, say with Alice. The source produces groups 
of N pairs, each pair in a different mode; one photon per 
pair is kept in the memory, the other is sent to Alice. 
Alice announces whether she has detected at least one 
photon: if she has, Christoph notes which one; if she has 
not, Christoph releases the memory and starts the pro- 
tocol again. The same is happening on the other link, 
the one with Bob, independently. As soon as both part- 
ners have announced a detection, Christoph releases the 
corresponding photons, performs the Bell measurement 
and communicates the result to Alice and Bob, who post- 
select their results accordingly 74 . Note that the memories 
need not be heralded in this scheme. 

Here is the quantitative analysis of the two-link re- 
peater. Any elementary run takes the time for the photon 
to go from the source to the detector, then for the com- 
munication to reach back Christoph, i.e. £/c. In each run, 
the probability of a detection is 1 — (I — Vti]) N w Nytrj. 
Then, in average, the Bell measurement will be per- 
formed after a time 75 r « | -j^=- ■ Consequently, 



2PmVm ftr<T M 
otherwise 



(B2) 



73 That is, photons may be lost but do not decohere in the memory. 
Note that this can be the case even if th e atoms, which form the 
memory, do undergo some decoherence l|Staudt et al .. 2007). 

74 Recall that there is no time-ordering in quantum correlations: 
so, this procedure gives exactly the same statistics as the "usual" 
entanglement swapping, in which the Bell measurement is made 
beforehand. 

75 In fact, let x = 1 — (1 — Vtrj) N : the probability that Alice's 
(Bob's) detector is activated by the m-th group of N pairs is 
pi(m) = x(l — x) m ~ 1 . Therefore, the probability that both links 
are activated exactly by the n-th repetition is p(n) = 2pi(n)pi(< 
n) + Pi(n) 2 = x(l - x)"- 1 ^ - (2 - x)(l - x)* 1 " 1 ] with pi(< 
n) = —1 pi(rn). Finally, the number of repetitions needed 
to establish the link is (n> = ^ n np(n) = i ( 3 ~J** ) . 
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200 300 400 500 
distance [km] 



700 



FIG. 9 Comparison of K\ (straight line) and K%. For all 
curves: us = 10GHz, n = 0.5, tjm = 0.9, pm = 0.9, a = 
0.2dB/km (fibers), T M = 10s. Line (a): best case, N = 1000, 
F = 0.95; line (b): N = 1000, fidelity reduced to F = 0.9; 
line (c): supported modes reduced to N — 100, F — 0.95. 



where we have supposed that the memory time Tm de- 
fines a sharp cut, which is another simplification. This 
is the expected result: R2 scales with \[ti) and not with 
trj 2 , because each link can be activated independently. 
Finally, in our model, the error rate is uncorrelated with 
the other parameters and only due to the fidelity of the 
Bell measurement; so 



K 2 = R 2 [l- 2h(e)] 



(B3) 



with e = ^(1—F) because one of the "wrong" Bell states 
gives nevertheless the correct bit correlations. In particu- 
lar, the fidelity of a Bell measurement must exceed 83.5% 
to have K<x > 0. 

Some plots of K\ and K2 as a function of the distance 
are shown in Fig. [51 The chosen values are already opti- 
mistic extrapolations of what could be achieved in a not 
too distant future. We notice that quantum repeaters 
overcome the direct link for £ > 500km in fibers; with 
77 = 0.5 and N = 1000, this requires T M ~ 10s. Also, 
the number of modes supported by the memory is a more 
critical parameter than the fidelity of the Bell measure- 
ment. This analysis provides a rough idea of the perfor- 
mances to be reached in order for quantum repeaters to 
be useful. 

For the next step, the four-link repeater, we content 
ourselves with a few remarks. The four-link repeater al- 
lows in principle to reach the scaling R4 oc t 1 ^ 4 . The 
requirements for a practical implementation, however, 



become more stringent: the four memories must be re- 
leased before Tm ; there are three Bell measurements, so 
e < 11% requires F > 95%; also, p M > w p M t 1/A . More- 
over, it is easy to realize that the basic scheme (Fig. [S]) 
requir es heralded mem ories, although other schemes do 
not (jDuan et all 1200 if ). 
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